Self Assessment

Weekly Intelligence Report – 22 Dec 2023

Published On : 2023-12-22
Share :
Weekly Intelligence Report – 22 Dec 2023

Ransomware of the Week

CYFIRMA Research and Advisory Team would like to highlight ransomware trends and insights gathered while monitoring various forums. This includes multiple – industries, geography, and technology – which could be relevant to your organization.

Type: Ransomware.
Target Technologies: MS Windows.
Target Industries: Apparel Retailers, Business Support Services, Chemicals, Construction, Food, IT, Manufacturing, Oil & Gas, Retail, Semiconductors, and Transportation.
Target Geography: Austria, Brazil, Denmark, France, India, Indonesia, Portugal, South Korea, Spain, Turkey, United States of America, Vietnam.

CYFIRMA Research and Advisory Team has found a Mallox ransomware while monitoring various underground forums as part of our Threat Discovery Process.

Mallox ransomware:
Mallox is a ransomware threat that has been operational since its appearance in 2021.

Mallox ransomware typically gains initial access by exploiting vulnerabilities in publicly exposed services, with a specific emphasis on MS-SQL (Microsoft SQL Server) and ODBC (Open Database Connectivity) interfaces. It specifically targets vulnerabilities such as unpatched instances of older remote code execution (RCE) vulnerabilities like CVE-2019-1068 in Microsoft SQL Server and CVE-2020-0618 in Microsoft SQL Server Reporting Services.

Furthermore, the group effectively employs brute force attacks against services and applications that are inadequately configured and exposed to the public internet. In recent campaigns, Mallox actors obtained initial access through dictionary-based brute-force attacks targeting vulnerable MS-SQL interfaces. However, Mallox affiliates are also known to utilize other vectors, such as phishing emails, to deliver attack frameworks.

Once Mallox threat actors gain entry, they usually use PowerShell commands to trigger batch scripts and fetch the ransomware payload. They employ scripts like Kill-Delete.bat or Bwmeldokiller.bat to stop or delete active processes that could hinder or stop the ransomware’s encryption process.

Commands are executed to download and launch the ransomware payloads.

The sequence of commands starts by creating a PowerShell script in the temporary directory of the system. It uses the WebClient class to download an executable from a remote server. The PowerShell script, named updt.ps1, is then executed by bypassing execution policy restrictions, allowing it to run without limitations. Following this, the script utilizes Windows Management Instrumentation (WMIC) to execute the ransomware payload.

The payloads of Mallox, spanning from 2021 to the present, consistently demonstrate a set of core functions. This suggests that threat actors have found success using a reliable approach. The latest payloads are named “Mallox.Resurrection”.

Certain file types and processes are deliberately excluded from encryption through predefined rules. These exclusions are coded directly into the malware and spare specific file types based on their extensions.

Files types excluded based on extensions,
.386, .adv, .ani, .avast, .bat, .bin, .cab, .cmd, .com, .cpl, .cur, .deskthemepack, .diagcfg, .diagpkg, .diangcab, .dll, .drv, .exe, .Globeimposter-Alpha865qqz .hlp, .hta, .icl, .icns, .ico, .ics, .idx, .key, .lnk, .lock, .mallox, .mallox, .mod, .mpa, .msc, .msi, .msp, .msstyles, .msu, .nls, .nomedia, .ocx, .prf, .ps1, .rom, .rtp, .scr, .shs, .spl, .sys, .theme, .themepack, .wpx

Upon launch, the ransomware spawns the following commands:
bcdedit.exe /set {current} bootstatuspolicy ignoreallfailures
bcdedit.exe /set {current} recoveryenabled no

These actions aim to modify the Boot Configuration Data (BCD) settings, impacting the operating system’s capacity to recover from failures and hindering administrators from restoring the system using Windows’ built-in tools.

Files that have been encrypted by Mallox are marked with the “.mallox” extension. Additionally, a ransom note named “HOW TO BACK FILES.TXT” is deposited in each folder containing the encrypted files. This note provides instructions on obtaining a decryption tool via TOR and includes a unique identifier for the victim known as the TargetID. Notably, there was an observed shift in the contact email within Mallox ransom notes, changed from “mallox@onionmail” to “[email protected].”

In addition to the ransom notes, a file named “Targetinfo.txt” is placed on the user’s Desktop. This file includes the TargetID and provides basic details about the host’s environment, such as the operating system version, architecture, and hostname.

Screenshot of Mallox ransom note(Source: Surfaceweb)

Screenshot of Files Encrypted by Mallox ransomware (Source: Surfaceweb)

Countries targeted by Mallox Ransomware.

Following are the TTPs based on the MITRE Attack Framework.

Relevancy and Insights:

  • This ransomware targets the Windows Operating system commonly used by many organizations of various industries.
  • The Ransomware alters the registry key “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\MaxConnectionTime” and “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\MaxDisconnectionTime”, setting their values to 0. This modification allows the ransomware to eliminate time constraints on remote desktop connections. Hence the ransomware extends control over compromised systems, ensuring persistent access, and enabling further malicious activities aligned with its goal.
  • Detect-debug-environment: The ransomware has mechanisms to detect whether it is running in a debugging or analysis environment. It’s a defensive measure to avoid detection and analysis.
  • The ransomware exhibits long sleep behavior in its execution to evade detection by security tools that flag rapid or suspicious activities. Additionally, it checks user input, analyzing actions or keyboard entries, these are the tactics to avoid detection in sandbox environments.

ETLM Assessment:
Cyfirma’s assessment based on the available information suggests that Mallox ransomware will likely evolve its tactics to exploit new vulnerabilities and diversify initial access methods, possibly incorporating more sophisticated evasion techniques. It may continue targeting Windows systems across various industries. Additionally, ransomware’s persistence through altering registry keys indicates a focus on prolonged control. Staying vigilant against evolving tactics is crucial, emphasizing the need for robust backup solutions, regular software updates, and user education to mitigate potential impacts.

Indicators of Compromise
Kindly refer to the IOCs section to exercise controls on your security systems.

Sigma Rule:
title: Shadow Copies Deletion Using Operating Systems Utilities
– attack.defense_evasion
– attack.impact
– attack.t1070
– attack.t1490
category: process_creation
product: windows
– Image|endswith:
– ‘\powershell.exe’
– ‘\pwsh.exe’
– ‘\wmic.exe’
– ‘\vssadmin.exe’
– ‘\diskshadow.exe’
– OriginalFileName:
– ‘PowerShell.EXE’
– ‘pwsh.dll’
– ‘wmic.exe’
– ‘diskshadow.exe’
– ‘shadow’ # will match “delete shadows” and “shadowcopy delete” and “shadowstorage”
– ‘delete’
– Image|endswith: ‘\wbadmin.exe’
– OriginalFileName: ‘WBADMIN.EXE’
– ‘delete’
– ‘catalog’
– ‘quiet’ # will match -quiet or /quiet
– Image|endswith: ‘\vssadmin.exe’
– OriginalFileName: ‘VSSADMIN.EXE’
– ‘resize’
– ‘shadowstorage’
– ‘unbounded’
– ‘/MaxSize=’
condition: (all of selection1*) or (all of selection2*) or (all of selection3*)
– CommandLine
– ParentCommandLine
– Legitimate Administrator deletes Shadow Copies using operating systems utilities for legitimate reason
– LANDesk LDClient Ivanti-PSModule (PS EncodedCommand)
level: high

(Source: Surface web)


  • Implement competent security protocols and encryption, authentication, or access credentials configurations to access critical systems in your cloud and local environments.
  • Ensure that backups of critical systems are maintained which can be used to restore data in case a need arises.


  • A data breach prevention plan must be developed considering, (a) the type of data being managed by the company; (b) the remediation process; (c) where and how the data is stored; (d) if there is an obligation to notify the local authority.
  • Enable zero-trust architecture and multifactor authentication (MFA) to mitigate the compromise of credentials.
  • Foster a culture of cybersecurity, where you encourage and invest in employee training so that security is an integral part of your organization.


  • Update all applications/software regularly with the latest versions and security patches alike.
  • Build and undertake safeguarding measures by monitoring/ blocking the IOCs and strengthening defence based on the tactical intelligence provided.
  • Add the Sigma rules for threat detection and monitoring which will help to detect anomalies in log events, identify and monitor suspicious activities.

Trending Malware of the Week

Type: Trojan
Objective: Infiltration, Malware implant
Suspected Threat Actor: TA577
Target Technology: Windows

Active Malware of the Week
This week “PikaBot” is trending.

Over the recent days, researchers have detected PikaBot, a fresh malware family that surfaced in early 2023. Its distribution method has shifted to malvertising, marking a departure from its previous mode of dissemination through malspam campaigns.

In earlier attacks, the typical PikaBot distribution chain involves an email with a link to an external website, leading users to download malicious JavaScript from a zip archive. The JavaScript establishes a random directory structure, retrieves the payload via the curl utility, and executes it (DLL) through rundll32. PikaBot’s core module is injected into the legitimate SearchProtocolHost.exe process, and its loader employs indirect syscalls to conceal the injection, enhancing the malware’s stealthiness. However, in this latest campaign, PikaBot has shifted tactics, leveraging malvertising to target Google searches related to the remote application AnyDesk.

PikaBot’s Origin and TA577’s Affiliation
PikaBot was initially identified in February 2023 as a potential Matanbuchus drop from a Malspam campaign. Matanbuchus is considered to be a loader type of malware used to download and execute malware payloads on the targeted environments. It was later attributed to the threat actor TA577, known for distributing various payloads like QakBot, IcedID, SystemBC, and Cobalt Strike, has links to ransomware distribution. Unlike its past distribution solely through malspam campaigns, PikaBot has evolved into one of the preferred payloads for the threat actor TA577.

Attack method
The campaign focuses on Google searches related to the remote application AnyDesk. Security researchers traced the distribution chain and confirmed the payload as PikaBot. Another aspect of the campaign involves a different ad impersonating the AnyDesk brand under the fake persona “Manca Marina.”

Upon clicking the impersonate link, users are redirected to a decoy website at anadesky[.]ovmv[.]net.

The download is a digitally signed MSI installer, which, at the time of collection, showed zero detection on VirusTotal. Notably, its intriguing feature lies in its ability to evade detection upon execution. Following the attached execution flow of the PikaBot.

Evasion: Stealthy Tactics

To outsmart Google’s security, the threat actors are using a tricky method. They send a tracking URL through a normal marketing platform, then shift to their own secret domain hidden behind Cloudflare. Here’s the catch: only clean IP addresses move forward in the plan. They use JavaScript to check if you’re using a virtual machine. If everything checks out, you get redirected to their main fake AnyDesk site.

What’s even sneakier? There’s a second check when you click the download button. It’s like a double-check to make sure the download link doesn’t work if you’re in a virtual environment.


  • Over the past year, there has been a notable increase in the use of malicious ads (malvertising) through search engines to distribute malware, particularly targeting businesses. Browser-based attacks, including those stemming from social engineering campaigns, have become more prevalent. Criminals have achieved success in acquiring new victims through search ads, utilizing specialized services to bypass Google’s security measures and establish decoy infrastructures.
  • PikaBot reveals a highly sophisticated and adaptable malware strain with diverse distribution channels, including malvertising and malspam campaigns. PikaBot’s ability to exploit Google’s security measures and use fingerprinting techniques underscores the evolving nature of cyber threats. Its association with the threat actor TA577, known for distributing various payloads and having links to ransomware, indicates a broader and potentially coordinated cybercriminal operation.
  • The use of advanced evasion techniques reflects a concerted effort to stay under the radar and maximize impact. The choice of hosting the MSI installer on Dropbox adds an additional layer to the complexity of the operation. The observed similarities with past malvertising chains, especially in targeting specific platforms like Zoom and Slack, raise the possibility of a systematic “malvertising as a service” model, indicating a potential organized network supporting various threat actors with ad distribution and decoy pages.

From the ETLM perspective, CYFIRMA anticipates that the evolution of PikaBot suggests a trajectory towards more sophisticated and adaptable cyber threats. Its demonstrated agility and integration into various campaigns, combined with advanced evasion techniques, indicate a potential for increased complexity in future iterations. Looking ahead, the emphasis on targeting popular platforms like AnyDesk through Google searches suggests a future trend where cyber threats will increasingly focus on widely used applications. This poses potential risks for organizations heavily dependent on such platforms, indicating a need for heightened cybersecurity measures. The incorporation of deceptive ads and impersonation tactics in attack methods introduces a new level of complexity, underscoring the importance of organizations adopting proactive defense strategies. In the evolving landscape of threats like PikaBot, future cybersecurity efforts should prioritize increased awareness and adaptive defense measures to effectively counter the dynamic and sophisticated nature of these emerging risks.

Kindly refer to the IOCs Section to exercise controls on your security systems.


  • Create a strategy of layering security controls in the organization to make it difficult for adversaries to carry out reconnaissance, exploiting a weakness in the system and potential exfiltration of data.
  • Incorporate Digital Risk Protection (DRP) as part of the overall security posture to proactively defend against impersonations and phishing attacks.
  • Configure organization’s intrusion detection systems (IDS), intrusion prevention systems (IPS), or any network defence mechanisms in place to alert on — and upon review, consider blocking connection attempts to and from — the external IP addresses and domains listed in the appendix.


  • Implement real-time website monitoring to analyse network traffic going in and out of the website to detect malicious behaviours.
  • Move beyond the traditional model of security awareness towards Improved Simulation and training exercises that mimic real attack scenarios, account for behaviors that lead to a compromise, and are measured against real attacks the organization receives.
  • Regularly reinforce awareness of unauthorized attempts with end-users across the environment and emphasize the human weakness in mandatory information security training sessions. 
  • Security Awareness training should be mandated for all company employees. The training should ensure that employees:
  • Avoid downloading and executing files from unverified sources.
  • Always inspect the full URL before downloading files to ensure it matches the source.


  • Build and undertake safeguarding measures by monitoring/blocking the IOCs and strengthening defence based on the tactical intelligence provided.
  • Always listen to the research community and customer feedback when contacted about potential vulnerabilities detected in your infrastructure, or related compliance issues.
  • Enable network protection to prevent applications or users from accessing malicious domains and other malicious content on the internet.

Weekly Intelligence Trends/Advisory

Key Intelligence Signals:

  • Attack Type: Malware Implant, Spear Phishing, Ransomware Attacks, Vulnerabilities & Exploits, DDoS, Data Leaks.
  • Objective: Unauthorized Access, Data Theft, Data Encryption, Financial Gains, Espionage.
  • Business Impact: Data Loss, Financial Loss, Reputational Damage, Loss of Intellectual Property, Operational Disruption.
  • Ransomware –Black Basta Ransomware | Malware –PikaBot
  • Black Basta Ransomware – One of the ransomware groups.
  • Please refer to the trending malware advisory for details on the following:
  • Malware –PikaBot
  • Behaviour –Most of these malwares use phishing and social engineering techniques as their initial attack vectors. Apart from these techniques, exploitation of vulnerabilities, defence evasion, and persistence tactics are being observed.

Threat Actor in Focus

Gaza Cyber Gang Employed Modified Version of Pierogi Malware to Target Palestine and Israel
Threat Actors: Gaza Cyber Gang
Attack Type: Spear Phishing
Objective: Espionage
Target Technology: Windows
Target Geographies: Palestine and Israel
Target Industries: Unknown
Business Impact: Data Loss, Data exfiltration

Recently the Gaza Cyber Gang, a pro-Hamas threat actor, has been observed targeting Palestinian entities using an updated backdoor called Pierogi++. This updated malware, named by researchers, differs from its predecessors by being implemented in C++ rather than Delphi or Pascal. Security researchers observed a consistent targeting pattern of Palestinian entities in the group’s recent activities, unchanged since the onset of the Israel-Hamas conflict. The group is active since at least 2012. The Gaza Cyber Gang has a history of targeting the Middle East, specifically Israel, and Palestine, employing spear-phishing as a primary method for initial access. Their arsenal includes various malware families like BarbWire, DropBook, LastConn, Micropsia, and more. In recent months, the group has been tied to a series of attacks deploying modified versions of Micropsia and Arid Gopher implants, along with a new initial access downloader named IronWind. The most recent breaches attributed to the Gaza Cyber Gang involve the utilization of Pierogi++ and Micropsia. The initial deployment of Pierogi++ dates back to late 2022. The Gaza Cyber Gang’s attack methodology involves the use of decoy documents, written in Arabic or English and relevant to Palestinian interests, as a means to introduce these backdoors. Previously known as Pierogi from February 2020, it was an implant enabling attackers to spy on targets. The researchers highlighted that the communication commands and code strings within the binary were previously written in Ukrainian. The backdoor might have been acquired from underground networks rather than being internally developed. Both Pierogi and Pierogi++ possess capabilities to capture screenshots, execute commands, and retrieve files provided by the attackers.

Relevancy & Insights:
Both Pierogi and Pierogi++ possess capabilities to capture screenshots, execute commands, and retrieve files provided by the attackers. An interesting update is the absence of Ukrainian code strings in the newer versions of these artifacts. Despite sustained attention to Palestine, the development of Pierogi++ underscores the group’s continuous efforts to enhance malware for successful network compromise and persistence access.

ETLM Assessment:
The team at CYFIRMA observed a surprising cyber-attack by the Gaza Cyber gang. The group is pro-Hamas that chose to target Palestinian entities revealing the group’s aim to zero down moles working for the Israeli government and get rid of internal threats that could leave damage in the ongoing conflict. Simultaneously, the group was observed targeting Israeli entities, and these cyber-attacks will continue as gathering intel against Israel and removing inside moles, favouring Hamas in the ongoing conflict.


  • Keep all software, including operating systems and applications, up to date to patch vulnerabilities.
  • Conduct cybersecurity awareness training to help staff recognize phishing attempts and suspicious activities.
  • Implement and maintain robust firewalls and antivirus software to detect and prevent malware.
  • Develop and regularly update an incident response plan to efficiently handle security incidents.
  • Maintain regular backups of critical data and systems. Ensure these backups are stored securely and are regularly tested for reliability.
  • Use threat intelligence services and monitoring tools to detect and analyse potential threats in real-time.

Indicators of Compromise
Kindly refer to the IOCs (Indicators of Compromise) Section to exercise controls on your security systems.

Major Geopolitical Developments in Cybersecurity

Cyber-attack paralyzes majority of gas stations in Iran
About seventy percent of Iran’s gasoline stations went out of operation due to what Iranian media at first described as a “software problem” but which was subsequently described as a large-scale cyber-attack targeting the payment systems of the impacted gas stations, as well as management systems, as reported by researchers and later also Iran’s Oil Ministry. The attack has been claimed by Predatory Sparrow, a group that Iran attributes to Israel and about which Israel does not offer any comment. The group issued a statement in which it claimed the cyberattack came in response to the aggression of the Islamic Republic and its proxies in the region.

ETLM Assessment:
The attack is just another blow in the ongoing cyber war between Iran and Israel. Israel’s National Cyber Directorate previously stated that the prospect of an intensified Iranian cyber campaign is deeply worrying, since Iran “knows that they can act there [in cyberspace] more freely than in physical space”. An attack such as this one is likely meant to show Iran, that it too is vulnerable to cyber-attacks and that it should not overstep certain boundaries.

Rise in Malware/Ransomware and Phishing

Alexander Dennis is Impacted by the Black Basta Ransomware
Attack Type: Ransomware
Target Industry: Manufacturing
Target Geography: United Kingdom
Ransomware: Black Basta Ransomware
Objective: Data Theft, Data Encryption, Financial Gains
Business Impact: Financial Loss, Data Loss, Reputational Damage

From the External Threat Landscape Management (ETLM) Perspective, CYFIRMA observed in an underground forum that a company from the United Kingdom, (www[.]alexander-dennis[.]com), was compromised by Black Basta Ransomware. Alexander Dennis is a British bus manufacturing company based in Larbert, Scotland. Alexander Dennis is the largest bus and coach manufacturer in the United Kingdom. It has manufacturing plants and partnerships in Canada, China, Europe, Hong Kong, Malaysia, New Zealand, Singapore, South Africa, and the United States. The data breach comprises information from various departments, such as Group data, HR, Finance, Legal, Engineering, and among others. The overall volume of compromised data amounts to 507 gigabytes.

The following screenshot was observed published on the dark web:

Source: Dark Web

Relevancy & Insights:

  • Based on our observations in 2023, it has become clear that the Black Basta Ransomware group primarily directs its attention towards organizations based in the USA, making up 40 % of their main targets.
  • An investigation of the Black Basta ransomware group has revealed the group obtained at least $107 million in ransom payments from more than 90 victims since April 2022. Black Basta is a Russia-linked ransomware-as-a-service (RaaS) operation, where affiliates are recruited to conduct ransomware attacks for a cut of the profits. The group emerged after the infamous Conti ransomware operation was shut down in June 2022, and the members split into several smaller groups, one of which is believed to be Black Basta.
  • Based on the Black Basta Ransomware victims list in 2023, the top 5 Target Countries are as follows:
  • Ranking the Top 10 Industries, most affected by Black Basta Ransomware

ETLM Assessment:
CYFIRMA assesses Black Basta Ransomware will continue to focus on American businesses and related entities that hold significant amounts of Personally Identifiable Information (PII), financial information, or other sensitive data. However, the recent assault on Alexander Dennis highlights the dangers posed to companies, in advanced economies by the Black Basta Ransomware.

Vulnerabilities and Exploits

Vulnerability in 3CX CRM Integration
Attack Type: Vulnerabilities & Eploits
Target Technology: Hardware Solutions
Vulnerability: CVE-2023-49954 (CVSS Base Score 6.5)
Vulnerability Type: SQL Injection

The vulnerability allows a remote user to execute arbitrary SQL queries in database.

Relevancy & Insights:
The vulnerability exists due to insufficient sanitization of user-supplied data within 3CX CRM Integration. A remote user can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.

Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.

Affected Products: https[:]//cve-2023-49954[.]github[.]io/

Monitoring and Detection: Implement monitoring and detection mechanisms to identify unusual system behavior that might indicate an attempted exploitation of this vulnerability.


This week, CYFIRMA researchers have observed significant impacts on various products, due to a range of vulnerabilities. The following are the top 5 most affected products.

Latest Cyber-Attacks, Incidents, and Breaches

8220 Gang Exploiting Oracle WebLogic Server Vulnerability to Spread Malware
Threat Actors: 8220 Gang
Attack Type: Vulnerability Exploitation
Objective: Espionage
Target Technology: Unknown
Target Geographies: U.S.A, South Africa, Spain, Columbia, and Mexico.
Target Industry: Healthcare, Telecommunications, and Financial services
Business Impact: Operational Disruption

Recently we observed that the threat actors affiliated with the 8220 Gang have been detected leveraging a critical vulnerability within the Oracle WebLogic Server to spread their malicious software. The identified security vulnerability is CVE-2020-14883 (CVSS score: 7.2), representing a remote code execution flaw. Authenticated attackers could potentially exploit this vulnerability to gain control over vulnerable servers. The attack chains entail the exploitation of CVE-2020-14883 to specially craft XML files and ultimately run code responsible for deploying stealer and coin mining malware such as Agent Tesla, rhajk, and nasqa. The campaign’s targets encompass sectors such as healthcare, telecommunications, and financial services, spanning across the U.S., South Africa, Spain, Colombia, and Mexico. The group employs straightforward, readily available exploits to exploit widely known vulnerabilities, targeting vulnerable entities for their objectives. Despite being characterized as unsophisticated, they consistently adapt and refine their tactics and techniques to evade detection.

Relevancy & Insights:
8220 Gang also known as “8220 Mining Group,” is derived from their use of port 8220 for command and control or C&C communications exchange. The 8220 Gang has a history of leveraging known security flaws to distribute their malware. Along with Oracle WebLogic Server Authenticated RCE (CVE-2020-14883), researchers observed Oracle WebLogic Server RCE (CVE-2017-3506), Oracle WebLogic Server Authenticated Deserialization (CVE-2019-2725), Atlassian Confluence Server OGNL Injection RCE (CVE-2021-26084), CVE-2021-44228 – Apache Log4j JNDI RCE (CVE-2021-44228), Atlassian Confluence Server RCE (CVE-2022-26134) vulnerabilities getting exploited by 8220 Gang.

ETLM Assessment:
The 8220 Gang, a profit-driven threat group from China, predominantly focuses on cloud providers and inadequately secured applications. They deploy a tailored crypto miner and IRC bot for their activities. The primary sectors in their crosshairs include healthcare, telecommunications, and financial services in the U.S., South Africa, Spain, Colombia, and Mexico. Based on the ongoing campaign, CYFIRMA emphasizes the critical need to patch a high-severity vulnerability in the Oracle WebLogic Server to prevent potential exploitation by various threat actors.

Data Leaks

ViTrox Data Advertised in Leak Site
Attack Type: Data Leaks
Target Industry: Manufacturing
Target Geography: Malaysia
Objective: Data Theft, Financial Gains
Business Impact: Data Loss, Reputational Damage

CYFIRMA Research team observed a potential data leak related to ViTrox {www[.]vitrox[.]com}. ViTrox Corporation is a Malaysian technology company with a strong focus on machine vision and electronics. It specializes in the design and development of automated vision inspection systems and equipment for semiconductors, printed circuit board assemblies, and electronics communication industries. ViTrox’s products include the Machine Vision System (MVS), Automated Board Inspection (ABI), Integrated Industrial Embedded Solutions, and Industry 4.0 Manufacturing Intelligence Solution – V-ONE. The compromised data consists of personal details like name, company information, email address, username, password, and other confidential data.

Source: Underground forums

Relevancy & Insights:
Opportunistic cybercriminals driven by financial motives are consistently seeking out exposed and vulnerable systems and applications. The primary arena for these attackers is underground forums, where they participate in discussions and trade stolen digital assets. In contrast to other financially motivated threat actors like ransomware or extortion groups, who tend to publicize their attacks, these opportunistic individuals prefer to operate discreetly. They infiltrate and pilfer valuable data by capitalizing on unpatched systems or exploiting vulnerabilities in applications and systems. The purloined data is subsequently advertised for sale within underground forums, being resold and repurposed by other attackers in their illicit activities.

ETLM Assessment:
CYFIRMA assesses that financially motivated cybercriminals consider Malaysia and other developed economies in Asia as attractive targets. Therefore, CYFIRMA considers there to be a continual and ongoing risk to companies in technologically advanced nations, such as Malaysia. Manufacturing and other industries will continue to be targeted by financially motivated threat actors.

Other Observations

CYFIRMA Research team observed a potential data leak related to Yipeedia, {www[.]Yipeedia[.]com} Yipeedia is an online E-Marketplace that offers exceptional international products, groceries, and food accessible at low prices. It is a platform for shoppers to shop endless products from International Sellers of more than 200 Countries, all at the convenience of Mobile devices. The sellers advertise Web-Shell Access to the Yipeedia Shopping App website, High privileges /edit/download/upload for USD 50.

Source: Underground forums


  • Attack Surface Management should be adopted by organizations, ensuring that a continuous closed-loop process is created between attack surface monitoring and security testing.
  • Deploy a unified threat management strategy – including malware detection, deep learning neural networks, and anti-exploit technology – combined with vulnerability and risk mitigation processes.
  • Incorporate Digital Risk Protection (DRP) in the overall security posture that acts as a proactive defence against external threats targeting unsuspecting customers.
  • Implement a holistic security strategy that includes controls for attack surface reduction, effective patch management, active network monitoring, through next generation security solutions and ready to go incident response plan.
  • Create risk-based vulnerability management with deep knowledge about each asset. Assign a triaged risk score based on the type of vulnerability and criticality of the asset to help ensure that the most severe and dangerous vulnerabilities are dealt with first.


  • Take advantage of global Cyber Intelligence providing valuable insights on threat actor activity, detection, and mitigation techniques.
  • Proactively monitor the effectiveness of risk-based information security strategy, the security controls applied and the proper implementation of security technologies, followed by corrective actions remediations, and lessons learned.
  • Move beyond the traditional model of security awareness towards improved simulation and training exercises that mimic real attack scenarios, account for behaviours that lead to a compromised, and are measured against real attacks the organization receives.
  • Consider implementing Network Traffic Analysis (NTA) and Network Detection and Response (NDR) security systems to compensate for the shortcoming of EDR and SIEM solutions.
  • Detection processes are tested to ensure awareness of anomalous events. Timely communication of anomalies and continuously evolved to keep up with refined ransomware threats.


  • Patch software/applications as soon as updates are available. Where feasible, automated remediation should be deployed since vulnerabilities are one of the top attack vectors.
  • Consider using security automation to speed up threat detection, improved incident response, increased the visibility of security metrics, and rapid execution of security checklists.
  • Build and undertake safeguarding measures by monitoring/ blocking the IOCs and strengthen defences based on tactical intelligence provided.
  • Deploy detection technologies that are behavioural anomaly-based to detect ransomware attacks and help to take appropriate measures.
  • Implement a combination of security control such as reCAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart), Device fingerprinting, IP backlisting, Rate-limiting, and Account lockout to thwart automated brute-force attacks.
  • Ensure email and web content filtering uses real-time blocklists, reputation services, and other similar mechanisms to avoid accepting content from known and potentially malicious sources.