Self Assessment

Weekly Intelligence Report – 23 June 2023

Published On : 2023-06-23
Share :
Weekly Intelligence Report – 23 June 2023

Weekly Attack Type and Trends

Key Intelligence Signals:

  • Attack Type: Malware Implants, Spear Phishing, Ransomware Attacks, Vulnerabilities & Exploits, DDoS, Data Leak.
  • Objective: Unauthorized Access, Data Theft, Data Encryption, Financial Gains, Espionage, Lateral Movement.
  • Business Impact: Data Loss, Financial Loss, Reputational Damage, Loss of Intellectual Property, Operational Disruption.
  • Ransomware – Clop Ransomware | Malware – Skuld
  • Clop Ransomware – One of the ransomware groups.
  • Please refer to the trending malware advisory for details on the following:
  • Malware – Skuld
  • Behavior –Most of this malware uses phishing and social engineering techniques as its initial attack vector. Apart from these techniques, exploitation of vulnerabilities, defence evasion, and persistence tactics are being observed.

Threat Actor in Focus

Gamaredon aka Shuckworm Resumes Operation Against Ukrainian Government

  • Suspected Threat Actors: Gamaredon
  • Attack Type: Spear Phishing
  • Objective: Espionage
  • Target Technology: Windows
  • Target Geographies: Ukraine
  • Target Industries: Government, Military, and Research
  • Business Impact: Data Loss

Summary:
In a recent development into an offensive cyber operation of nation based advanced persistent threat group, a cyber security researcher observed Russian-sponsored APT, Gamaredon aka Shuckworm targeting Ukrainian government assets to back Russia in the ongoing war against Ukraine. The APT Gamaredon is active since 2014 and only focused on targeting Ukrainian Assets in the interest of the Russian government. The group has conducted various offensive attacks with similar TTPs used in past attacks. In a recent campaign, a spear-phishing email delivered a malicious RAR archive file, which a user opened. This triggered the execution of a malicious PowerShell command that downloaded a payload from the attackers’ server. The threat actor has been using various IP addresses and updating their obfuscation techniques to avoid detection. A VBS script, identified as Pterodo backdoor, was then executed. The targeted machine contained confidential documents related to Ukrainian security services or government departments. It is observed the threat actor added an additional script employing USB propagation. This feature allows the threat actor to reach out to other machines through removable USB devices and infect them with malware. Further observation revealed that the threat actor exploited Telegram as their command-and-control server.

Insights:
The threat actor employed the same TTPs as they have used in previous other campaigns, including the target industry remained similar. However, in the previous operations, the threat actor employed sophisticated spyware called GammaSteel and GammaLoad to carry out their malicious activities.

Major Geopolitical Developments in Cybersecurity

Russian hacktivists threat to attack EU banking system.

KillNet, in partnership with REvil and Anonymous Sudan, announced recently that they would attack European banking systems in retaliation for Western sanctions on Russia and as supposed means of deterrence of the West from intervening in the ongoing violent crisis in Sudan.

While the hackers haven’t delivered the general attack on the SWIFT interbank funds transfer system, they have been threatening, it seems these hacktivist auxiliaries carried out a successful distributed denial of service (DDoS) attack against the European Investment Bank (EIB). The institution has confirmed that they are experiencing a cyber-attack, which is affecting the status of their website, however so far, this minor nuisance has been the extent of the attack. It is unlikely that the actors in and of themselves have the capability and sophistication to bring down a well-defended infrastructure, as their demonstrated capability in recent years and months only amounted to nuisance attacks like DDoS and occasional defacements. At the same time, researchers now posit that Anonymous Sudan is a Russian-run front operation, and not the Islamist patriotic hacktivist collective it claims to be. However, in the not impossible event of top Russian state APTs carrying out significant attacks on European and Western banking, it is likely, the hacktivist auxiliaries would take credit to partially shield Moscow from the political fallout.

British Government commits further funds in cybersecurity aid to Ukraine.

The government of the UK has recently announced that it would allocate £25 million in aid towards Ukraine’s cybersecurity. The new funding enhances and substantially increases the previous round of cybersecurity support from last year, that was about a fifth of the size of the current package. Prime Minister Rishi Sunak explained, “Russia’s appalling attacks on Ukraine are not limited to their barbaric land invasion, but also involve sickening attempts to attack their cyber infrastructure that provides vital services, from banking to energy supplies, to innocent Ukrainian people. This funding is critical to stopping those onslaughts, hardening Ukraine’s cyber defenses and increasing the country’s ability to detect and disable the malware targeted at them.” The continuous support the UK is showing to Ukraine in its plight is however likely to put British infrastructure, government, and business into the crosshairs of Russian hackers, who swore on social media to retaliate.

Other Observations

CYFIRMA Research team observed a potential data leak related to APP-Sindicato, (www[.]appsindicato[.]org[.]br). APP Sindicato – Union of Public Education Workers of Paraná. The first organization was created by teachers of the public education system in Paraná, on April 26, 1947, the entity has a history full of dreams. The data that has been exposed consists of a diverse array of sensitive and confidential information in SQL format, with a total size of 5 GB.


Source: Underground forums

CYFIRMA Research team observed threat actor selling access to a vulnerable server of a financial institution located in Africa. This can further lead to ransomware attack on compromised organisation.


Source: Underground forums

STRATEGIC RECOMMENDATION

  • Attack Surface Management should be adopted by organizations, ensuring that a continuous closed-loop process is created between attack surface monitoring and security testing.
  • Deploy a unified threat management strategy – including malware detection, deep learning neural networks, and anti-exploit technology – combined with vulnerability and risk mitigation processes.
  • Incorporate Digital Risk Protection (DRP) in the overall security posture that acts as a proactive defence against external threats targeting unsuspecting customers.
  • Implement a holistic security strategy that includes controls for attack surface reduction, effective patch management, active network monitoring, through next generation security solutions and ready to go incident response plan.
  • Create risk-based vulnerability management with deep knowledge about each asset. Assign a triaged risk score based on the type of vulnerability and criticality of the asset to help ensure that the most severe and dangerous vulnerabilities are dealt with first.

MANAGEMENT RECOMMENDATION

  • Take advantage of global Cyber Intelligence providing valuable insights on threat actor activity, detection, and mitigation techniques.
  • Proactively monitor the effectiveness of risk-based information security strategy, the security controls applied and the proper implementation of security technologies, followed by corrective actions remediations, and lessons learned.
  • Move beyond the traditional model of security awareness towards improved simulation and training exercises that mimic real attack scenarios, account for behaviours that lead to a compromised, and are measured against real attacks the organization receives.
  • Consider implementing Network Traffic Analysis (NTA) and Network Detection and Response (NDR) security systems to compensate for the shortcoming of EDR and SIEM solutions.
  • Detection processes are tested to ensure awareness of anomalous events. Timely communication of anomalies and continuously evolved to keep up with refined ransomware threats.

TACTICAL RECOMMENDATION

  • Patch software/applications as soon as updates are available. Where feasible, automated remediation should be deployed since vulnerabilities are one of the top attack vectors.
  • Consider using security automation to speed up threat detection, improve incident response, increase the visibility of security metrics, and rapid execution of security checklists.
  • Build and undertake safeguarding measures by monitoring/ blocking the IOCs and strengthen defences based on tactical intelligence provided.
  • Deploy detection technologies that are behavioural anomaly-based to detect ransomware attacks and help to take appropriate measures.
  • Implement a combination of security control such as reCAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart), Device fingerprinting, IP backlisting, Rate-limiting, and Account lockout to thwart automated brute-force attacks.
  • Ensure email and web content filtering uses real-time blocklists, reputation services, and other similar mechanisms to avoid accepting content from known and potentially malicious sources.