Weekly Intelligence Report – 24 Feb 2023

Weekly Attack Type and Trends

Key Intelligence Signals:

• Attack Type: Ransomware, Vulnerabilities & Exploits, Ransomware-as-a-Service (RaaS), Malware Implants, Data Exfiltration, Data Leak, Impersonations, Remote Code Execution (RCE), On-device Fraud, Rouge Mobile Apps, Telephone-Oriented Attack Delivery (TOAD), Smishing, Malvertising, USB as an Attack Vector
• Objective: Unauthorized Access, Data Theft, Financial Gains, Payload Delivery, Potential Espionage
• Business Impact: Data Loss, Financial Loss, Reputational Damage, Loss of Intellectual Property
• Ransomware – Lorenz Ransomware | Malware – WhiskerSpy
• Lorenz Ransomware – One of the ransomware groups.
• Please refer to the trending malware advisory for details on the following:
• Malware – WhiskerSpy
• Behavior – Most of these malwares use phishing and social engineering techniques as their initial attack vector. Apart from these techniques, exploitation of vulnerabilities, defence evasion, and persistence tactics are being observed.

Threat Actor in Focus

APT Gamaredon Abuses HoaxShell in Recent Campaign Against Ukraine

• Suspected Threat Actors: Gamaredon
• Attack Type: Spear Phishing
• Objective: Unauthorized Access, Espionage, Data Exfiltration
• Target Technology: Windows
• Target Geographies: Ukraine
• Target Industries: Public Sector
• Business Impact: Data Theft

Summary:
According to researchers in recent observations, a new campaign by Gamaredon targeting multiple organizations in Ukraine has been detected. This ongoing espionage operation uses sophisticated techniques to deliver malware to the victim’s machines in Ukraine. The open-source tool Hoaxshell was abused for the technical attack. The attack vector is a spear-phishing email with an attachment that compromises the system through the installation of a WebShell. The WebShell includes features for executing remote commands and deploying additional payloads on an infected machine.

Gamaredon relies on the highly targeted distribution of weaponized documents that mimic official documents from Ukrainian government organizations and uses the Ukranian language for phishing mail. Several types of attachments were used to deliver malware, including .xlsx, .doc, .xlsm, and .docm, with .docm being the most prevalent. The decoy documents are portrayed as official government documents. Once the malicious document is opened, it executes a heavily obfuscated macro called “xdm,” which decodes and executes a second PowerShell script that reports back to the command-and-control server. This campaign is part of an ongoing espionage operation and has been observed as recently as February 2023. The use of obfuscated PowerShell and VBScript scripts in the infection chain makes it challenging to detect and prevent. The main file used to perform the next stage is coded in Python, while the WebShell is coded in pure PowerShell.

Insights:
Despite being exposed many times for using open-source tools like Hoaxshell for the advanced attack, APT continues to target with the same attack vector showing that the success rate is good.

Major Geopolitical Developments in Cybersecurity

Dutch intelligence warns of Russian sabotage against its energy infrastructure

According to Dutch military intelligence, Russia has recently tried to gather information to harm vital infrastructure in the Dutch portion of the North Sea. According to the agency, a Russian ship was discovered at an offshore wind farm in the North Sea as it was attempting to map out energy infrastructure. Before any sabotage attempt could be successful, the vessel was escorted out of the North Sea by Dutch marine and coast guard ships, but the ship has probably been able to gather data on this infrastructure.

According to a recent joint report by Dutch intelligence agencies MIVD and AIVD, Russia is undertaking activities which indicate preparations for disruption and sabotage, with the largest threat being posed towards water and energy supplies in the Netherlands. In recent months Russian cyber actors and intelligence were trying to uncover the workings of the energy system in the North Sea and according to Dutch authorities, Russia is interested in potential sabotage of the energy infrastructure in the Netherlands and more broadly in Europe. This is in line with the warnings CYFIRMA analysts have issued on the topic since the start of the Russian war on Ukraine in February 2022.

A new APT engages in cyberespionage

Researchers have observed a new threat actor that has been seen targeting shipping companies and medical laboratories in Asia with phishing emails. The APT has been dubbed Hydrochasma and appears to be interested in pharma industries connected with COVID-19 treatments or vaccines. The activity, which has been ongoing since October 2022 is mostly initiated by phishing messages containing resume-themed lure documents that, when launched, grant initial access to the machine.
Researchers did not notice any data being exfiltrated and the actor is not associated with any other known campaigns; however, the actor’s use of the tools they saw suggested that the purpose might be intelligence collection. However, the actor has been using off-the-shelf tools which have complicated the attribution of the attack, which was possibly the intention of the attacker in order to cover its tracks. Given the broad scope of the attack, the researchers suspect government involvement and an attempt to gain strategic intelligence.

North Korean APT launches new malware

According to researchers, APT37 (also known as “RedEyes” or “StarCruft”), a threat actor from North Korea, is disseminating a brand-new malware strain called “M2RAT” (ASEC). Recently, researchers discovered M2RAT being disseminated through phishing emails. The emails contain files that, when opened, will execute shellcode by taking advantage of an inherent flaw in the widely used in South Korean Hangul word processor. The victim’s computer will first receive a JPEG image download from the shellcode, which employs steganography to extract the M2RAT download code. The software is made to take screenshots and record keystrokes to steal data. Infected mobile devices will also be scanned for by M2RAT, and will likewise gain access to documents or audio recordings for the attacker. APT37 frequently targets journalists, North Korean defectors, and human rights advocates. The victims sometimes are unaware that they have been hacked because the threat actor targets individuals and personal devices rather than businesses with expensive protection systems.

Chinese cyber company accuses the West of hacking China

In a fresh allegation, Chinese cybersecurity researchers have accused the West of politically motivated cyber-attacks against China. According to the Chinese, the hackers originated in North America and Europe and have been dubbed Against the West in China. The group has published sensitive Chinese information and databases more than 70 times since 2021, including stealing data from around 300 information systems. The list of victims includes the Hainan provincial government and China Southern Airlines.
The Chinese researchers claim the attacks to be political in nature and exclusively share their research with the Global Times, the vehemently nationalistic state-owned Chinese media publication in an attempt to spin the global narrative on government hacking in a more China-friendly light. The publication appears to be a part of China’s growing attempts to take control of the narrative on cyberattacks by pointing the finger in the other direction when it comes to cyber-attack attribution.

Other Observations

CYFIRMA Research team observed that AOL is web portal and online service provider in The United States of America suffered a data breach. This data leak contains First Name, Last Name, Email Address, Phone Number, Zip Code, and Customer ID.

Source: Underground Forums

The Team also observed a potential data leak related to www[.]sttelemediagdc[.]com – ST Telemedia Global Data Centres (STT GDC), is a leading data centre service provider headquartered in Singapore. The Company offers data colocation, connectivity, hosting, and cloud storage services. This data leak contains data of 1,210 customers.

Source: Underground Forums

STRATEGIC RECOMMENDATION

• Attack Surface Management should be adopted by organizations, ensuring that a continuous closed-loop process is created between attack surface monitoring and security testing.
• Deploy a unified threat management strategy – including malware detection, deep learning neural networks, and anti-exploit technology – combined with vulnerability and risk mitigation processes.
• Incorporate Digital Risk Protection (DRP) in the overall security posture that acts as a proactive defence against external threats targeting unsuspecting customers.
• Implement a holistic security strategy that includes controls for attack surface reduction, effective patch management, active network monitoring, through next generation security solutions and ready to go incident response plan.
• Create risk-based vulnerability management with deep knowledge about each asset. Assign a triaged risk score based on the type of vulnerability and criticality of the asset to help ensure that the most severe and dangerous vulnerabilities are dealt with first.

MANAGEMENT RECOMMENDATION

• Take advantage of global Cyber Intelligence providing valuable insights on threat actor activity, detection, and mitigation techniques.
• Proactively monitor the effectiveness of risk-based information security strategy, the security controls applied and the proper implementation of security technologies, followed by corrective actions remediations, and lessons learned.
• Move beyond the traditional model of security awareness towards improved simulation and training exercises that mimic real attack scenarios, account for behaviours that lead to a compromised, and are measured against real attacks the organization receives.
• Consider implementing Network Traffic Analysis (NTA) and Network Detection and Response (NDR) security systems to compensate for the shortcoming of EDR and SIEM solutions.
• Detection processes are tested to ensure awareness of anomalous events. Timely communication of anomalies and continuously evolved to keep up with refined ransomware threats.

TACTICAL RECOMMENDATION

• Patch software/applications as soon as updates are available. Where feasible, automated remediation should be deployed since vulnerabilities are one of the top attack vectors.
• Consider using security automation to speed up threat detection, improved incident response, increased the visibility of security metrics, and rapid execution of security checklists.
• Build and undertake safeguarding measures by monitoring/ blocking the IOCs and strengthen defences based on tactical intelligence provided.
• Deploy detection technologies that are behavioural anomaly-based to detect ransomware attacks and help to take appropriate measures.
• Implement a combination of security control such as reCAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart), Device fingerprinting, IP backlisting, Rate-limiting, and Account lockout to thwart automated brute-force attacks.
• Ensure email and web content filtering uses real-time blocklists, reputation services, and other similar mechanisms to avoid accepting content from known and potentially malicious sources.