Self Assessment

Weekly Intelligence Report – 24 Jan 2025

Published On : 2025-01-23
Share :
Weekly Intelligence Report – 24 Jan 2025

Ransomware of the week

CYFIRMA Research and Advisory Team would like to highlight ransomware trends and insights gathered while monitoring various forums. This includes multiple – industries, geography, and technology – that could be relevant to your organization.

Type: Ransomware
Target Technologies: MS Windows

Introduction
CYFIRMA Research and Advisory Team has found Anomaly Ransomware while monitoring various underground forums as part of our Threat Discovery Process.

Anomaly Ransomware.
Anomaly ransomware, recently identified by researchers, is based on Chaos ransomware.

Once entered into the victim’s system, ransomware encrypts files and appended filenames with a four-character random extension. After completing the encryption process, it altered the desktop wallpaper and delivered a ransom note titled “read_it.txt.”

Screenshot of files encrypted by ransomware (Source: Surface Web)

Anomaly’s ransom note informs victims that their files have been encrypted, with recovery possible only by purchasing a decryption key for 0.05 BTC. The note vaguely warns that delays in payment may lead to permanent data loss.

Screenshot of Anomaly ransomware’s text file (“read_it.txt”)(Source: Surface Web)

Screenshot of Anomaly’s desktop wallpaper: (Source: Surface Web)

Following are the TTPs based on the MITRE Attack Framework

Tactic ID Technique/ Sub-Technique
Execution T1053 Scheduled Task/Job
Execution T1059 Command and Scripting Interpreter
Execution T1106 Native API
Execution T1129 Shared Modules
Persistence T1053 Scheduled Task/Job
Persistence T1176 Browser Extensions
Persistence T1542.003 Pre-OS Boot: Bootkit
Persistence T1543.003 Create or Modify System Process: Windows Service
Persistence T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup
Folder
Persistence T1574.002 Hijack Execution Flow: DLL Side-Loading
Privilege Escalation T1053 Scheduled Task/Job
Privilege Escalation T1055 Process Injection
Privilege Escalation T1543.003 Create or Modify System Process: Windows Service
Privilege Escalation T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
Privilege Escalation T1548 Abuse Elevation Control Mechanism
Privilege Escalation T1574.002 Hijack Execution Flow: DLL Side-Loading
Defense Evasion T1014 Rootkit
Defense Evasion T1027 Obfuscated Files or Information
Defense Evasion T1036 Masquerading
Defense Evasion T1055 Process Injection
Defense Evasion T1070.004 Indicator Removal: File Deletion
Defense Evasion T1112 Modify Registry
Defense Evasion T1140 Deobfuscate/Decode Files or Information
Defense Evasion T1202 Indirect Command Execution
Defense Evasion T1222 File and Directory Permissions Modification
Defense Evasion T1497 Virtualization/Sandbox Evasion
Defense Evasion T1542.003 Pre-OS Boot: Bootkit
Defense Evasion T1548 Abuse Elevation Control Mechanism
Defense Evasion T1562.001 Impair Defenses: Disable or Modify Tools
Defense Evasion T1564.001 Hide Artifacts: Hidden Files and Directories
Defense Evasion T1564.003 Hide Artifacts: Hidden Window
Defense Evasion T1574.002 Hijack Execution Flow: DLL Side-Loading
Credential Access T1003 OS Credential Dumping
Credential Access T1552.001 Unsecured Credentials: Credentials in Files
Discovery T1010 Application Window Discovery
Discovery T1012 Query Registry
Discovery T1033 System Owner/User Discovery
Discovery T1057 Process Discovery
Discovery T1082 System Information Discovery
Discovery T1083 File and Directory Discovery
Discovery T1087 Account Discovery
Discovery T1497 Virtualization/Sandbox Evasion
Discovery T1518.001 Software Discovery: Security Software Discovery
Collection T1005 Data from Local System
Collection T1114 Email Collection
Collection T1115 Clipboard Data
Collection T1185 Browser Session Hijacking
Command and Control T1071 Application Layer Protocol
Command and Control T1105 Ingress Tool Transfer
Impact T1485 Data Destruction
Impact T1486 Data Encrypted for Impact
Impact T1489 Service Stop
Impact T1490 Inhibit System Recovery
Impact T1496 Resource Hijacking

Relevancy and Insights:

  • This ransomware specifically targets the widely used Windows Operating System, which is prevalent across numerous industries and organizations.
  • Detect-Debug-Environment: Debugging environments are used by developers to analyze and troubleshoot software. The ransomware uses this technique to determine whether it is operating in a debug environment. This feature aids the ransomware in avoiding analysis and detection attempts.
  • Calls to WMI: The ransomware is making calls to the Windows Management Instrumentation (WMI) framework. WMI is a powerful tool used by many legitimate applications and services, but it can also be exploited by malware to execute commands, collect information, or perform system modifications.
  • The Ransomware places itself in “HKEY_LOCAL_MACHINE\ SOFTWARE \Microsoft\Windows NT\CurrentVersion\Image File Execution Options\” to manipulate the execution behaviour of the image. This registry key allows the ransomware to achieve persistence, silently execute alongside or instead of legitimate images, and maintain control over compromised systems, evading detection.
  • The ransomware’s attempt to delete Volume Shadow Copies (VSS) indicates a deliberate efforts to hinder data recovery options for victims.

ETLM Assessment:
Based on available data, CYFIRMA assesses that Anomaly ransomware’s high ransom demands and profit-driven motives indicate a likely expansion across industries and regions, focusing on targets capable of meeting their financial demands. Mitigating such threats requires robust cybersecurity measures, including advanced endpoint protection, regular backups, network monitoring, and employee training.

Sigma Rule
title: Delete shadow copy via WMIC threatname:
behaviorgroup: 18
classification: 0 mitreattack:

logsource:
category: process_creation product: windows
detection: selection:
CommandLine:
– ‘*wmic*shadowcopy delete*’ condition: selection
level: critical
(Source: Surface web)

IOCs:
Kindly refer to the IOCs section to exercise controls on your security systems.

STRATEGIC RECOMMENDATION

  • Implement competent security protocols and encryption, authentication, or access credentials configurations to access critical systems in your cloud and local environments.
  • Ensure that backups of critical systems are maintained which can be used to restore data in case a need arises.

MANAGEMENT RECOMMENDATION

  • A data breach prevention plan must be developed considering (a) the type of data being managed by the company; (b) the remediation process; (c) where and how the data is stored; (d) if there is an obligation to notify the local authority.
  • Enable zero-trust architecture and multifactor authentication (MFA) to mitigate the compromise of credentials.
  • Foster a culture of cybersecurity, where you encourage and invest in employee training so that security is an integral part of your organization.

TACTICAL RECOMMENDATION

  • Update all applications/software regularly with the latest versions and security patches alike.
  • Add the Sigma rule for threat detection and monitoring which will help to detect anomalies in log events, identify and monitor suspicious activities.
  • Build and undertake safeguarding measures by monitoring/ blocking the IOCs and strengthening defence based on the tactical intelligence provided.

Trending Malware of the Week

Type: Loader | Objectives: Data Exfiltration, Stealing Sensitive Information | Target Industries: Electricity, Oil & Gas, Law firms and Legal services | Target Geographies: United States and Europe | Target Technology: Windows OS

CYFIRMA collects data from various forums based on which the trend is ascertained. We identified a few popular malwares that were found to be distributed in the wild to launch cyberattacks on organizations or individuals.

Active Malware of the Week
This week “MintsLoader” is trending

MintsLoader
Researchers have uncovered an ongoing campaign utilizing MintsLoader, a PowerShell- based malware loader, to deliver secondary payloads such as StealC and the Berkeley Open Infrastructure for Network Computing (BOINC) client. MintsLoader is distributed through spam emails containing links to Kongtuke/ClickFix pages or JScript files. This malware employs a Domain Generation Algorithm (DGA) that calculates domain names using a seed value derived from the current day and a constant. It also integrates anti- virtual machine (anti-VM) techniques to evade detection by sandboxes and malware analysts. This campaign has notably impacted sectors such as Electricity, Oil & Gas, Law firms and Legal services across the United States and Europe.

Attack Method
The MintsLoader infection starts when a victim clicks a link in a spam email, leading to the download of a JScript file named in a specific format, such as “Fattura” followed by a series of numbers.

Fig: JScript download

The script introduces a 13-second delay, likely to evade automated detection systems, before initiating a PowerShell command using the curl utility to download the first stage of MintsLoader. To evade detection, the script deletes itself after execution, making it harder for analysts to retrieve. In some cases, the malware is delivered via ClickFix or KongTuke links, using a slightly different method to execute the command. After contacting the command-and-control (C2) server, MintsLoader receives and executes an obfuscated response containing further PowerShell instructions. These scripts begin by decoding information and checking if the system is a virtual machine. This detection process includes examining system properties such as video adapters and cache memory configurations, specifically targeting VMware, Bochs, and other hypervisor environments. If the system is confirmed as a physical machine, the malware continues execution. These steps highlight MintsLoader’s ability to avoid sandbox environments and enhance its effectiveness.

As part of its process, the malware assigns specific values to a variable, which is used throughout its operations and shared with the C2 server. It also employs techniques to differentiate physical machines from virtual ones, ensuring it can bypass sandbox environments or security tools. One of the key features of MintsLoader is its dynamic generation of command-and-control (C2) server addresses. The malware uses a combination of the current day of the month and a constant to create unique domains each day, making detection more difficult for security systems. These domains are used to connect to the C2 server, with the address ending in a “.top” domain.

To construct the C2 URI path, MintsLoader creates a random string of alphanumeric characters and retrieves system details, like the computer name, to build query
parameters. These parameters include the system’s name as an identifier, a unique key, and a pre-set number. Using the curl command, the malware communicates with the C2 server, and the server’s response—also heavily obfuscated—is processed to execute additional stages. However, an attempted bypass of anti-malware protections fails due to flawed coding in the script.

In the final stage, MintsLoader initiates a web request to download its payload from a file- hosting site. One of the key payloads delivered by MintsLoader is StealC, a sophisticated data-stealing malware. While the hosting platform no longer provides the file, its digital signature remains accessible for analysis through security platforms.

StealC
StealC is an information-stealing malware marketed as a Malware-as-a-Service (MaaS) by its developer, “Plymouth,” on Russian underground forums since January 2023. Built on the framework of the earlier Arkei stealer from 2018, StealC is designed to extract sensitive data from web browsers, extensions, crypto wallets, applications, and email clients. This includes financial information, passwords, and tokens. The malware employs legitimate DLLs, such as sqlite3.dll and nss3.dll, to aid in data collection, which is then sent to its command-and-control (C2) server through HTTP POST requests.

StealC offers threat actors advanced tools, including an admin panel with features like a query builder for sorting stolen data. To evade detection, it uses XOR encryption for its strings, decrypting them during execution and storing the results in memory. The malware also includes several anti-debugging measures, such as exiting if it detects specific
usernames like “JohnDoe,” or systems with certain characteristics like single-core processors, low memory (below 1111 MB), or screen resolutions under 666 pixels. Additionally, it avoids running on systems using Russian, Ukrainian, Belarusian, Kazakh, or Uzbek language settings.

Before interacting with its C2 server, StealC generates a unique hardware ID (HWID) based on the C:\ drive’s volume serial number, which remains consistent and helps attackers manage stolen data. Initial communications with the C2 involve sending the HWID, followed by requests for base64-encoded configurations. Though its C2 servers are currently offline, the malware previously used HTTP POST requests to exfiltrate stolen files and credentials, while HTTP GET requests fetched third-party libraries like sqlite3.dll.

INSIGHTS

  • MintsLoader is part of a broader wave of malware campaigns aimed at compromising organizations across various industries, including electricity, oil & gas, law firms and legal services, by stealthily infiltrating their networks. Its ability to avoid detection and continuously evolve makes it a significant threat. By leveraging advanced techniques such as Domain Generation Algorithms (DGA) and anti-virtual machine (anti-VM) mechanisms, MintsLoader is particularly adept at bypassing traditional security defenses. These measures not only make it difficult for malware analysts to study the infection process but also pose a challenge for organizations to detect and respond to these attacks in real-time. This increasing sophistication suggests a growing trend in cybercriminal tactics, where evasion and persistence are key.
  • The malware’s impact extends beyond immediate data theft or system disruption; it serves as a gateway for secondary payloads like StealC, which targets sensitive information such as passwords, financial details, and even cryptocurrency wallets. This multi-stage attack strategy illustrates how MintsLoader acts as a force multiplier for other forms of malware, creating long-term risks for both individuals and organizations. The persistence of these campaigns, often relying on spam emails and deceptive links, speaks to a rising trend in cyberattacks where attackers rely on human error and trust to gain access to targeted networks.
  • MintsLoader is its ability to evolve and adapt based on the infrastructure it targets. By generating unique command-and-control (C2) domains daily and using random strings in its C2 communications, MintsLoader ensures that it remains resilient against takedown efforts. This constant adaptation to new domains makes it challenging for security teams to maintain an up-to-date blocklist, highlighting the need for dynamic, real-time threat intelligence to effectively counter such threats.

ETLM ASSESSMENT
From the ETLM perspective, CYFIRMA anticipates that MintsLoader’s evolving tactics may cause an increase in the frequency and complexity of cyberattacks, affecting organizations across various sectors. As this malware continues to adapt, it is likely that attackers will find more sophisticated ways to infiltrate networks, making it harder for organizations to detect and mitigate the threat. The use of secondary payloads, like data-stealing malware, could lead to long-term damage, as these threats have the potential to steal sensitive information and disrupt operations. In the future, organizations may find themselves grappling with not only immediate breaches but also the ripple effects of data theft and reputational damage. Employees, too, may face greater risks, as the malware targets human error, using methods such as phishing and deceptive links to gain access. As the attack methods become more refined, organizations will need to stay vigilant and prepared for the evolving nature of these threats, as they could lead to significant financial loss and operational disruption if left unchecked.

IOCs:
Kindly refer to the IOCs Section to exercise controls on your security systems.

Recommendations :

STRATEGIC:

  • Maintain an up-to-date inventory of all active software used within the organization and perform regular self-audit of workstations, servers, laptops, mobile devices to identify unauthorized/ restricted software.
  • Deploy a unified threat management strategy – including malware detection, deep learning neural networks, and anti-exploit technology – combined with vulnerability and risk mitigation processes.
  • Configure organization’s intrusion detection systems (IDS), intrusion prevention systems (IPS), or any network defence mechanisms in place to alert on — and upon review, consider blocking connection attempts to and from — the external IP addresses and domains listed in the appendix.s

MANAGEMENT:

  • Security Awareness training should be mandated for all company employees. The training should ensure that employees:
  • Avoid downloading and executing files from unverified sources.
  • Incorporate a written software policy that educates employees on good practices in relation to software and potential implications of downloading and using restricted software.
  • Move beyond the traditional model of security awareness towards Improved Simulation and training exercises that mimic real attack scenarios, account for behaviors that lead to a compromise, and are measured against real attacks the organization receives.

TACTICAL RECOMMENDATIONS

  • Build and undertake safeguarding measures by monitoring/ blocking the IOCs and strengthening defence based on the tactical intelligence provided.
  • Exert caution when opening email attachments or clicking on embedded links supplied via email communications.

CYFIRMA’S WEEKLY INSIGHTS

1. Weekly Attack Types and Trends

Key Intelligence Signals:

  • Attack Type: Ransomware Attacks, Phishing, Vulnerabilities & Exploits, Data Leaks.
  • Objective: Unauthorized Access, Data Theft, Data Encryption, Financial Gains, Espionage.
  • Business Impact: Data Loss, Financial Loss, Reputational Damage, Loss of Intellectual Property, Operational Disruption.
  • Ransomware – Space Bears Ransomware, RansomHub Ransomware| Malware – MintsLoader
  • Space Bears Ransomware – One of the ransomware groups.
  • RansomHub Ransomware – One of the ransomware groups.
    Please refer to the trending malware advisory for details on the following:
  • Malware – MintsLoader
    Behavior – Most of these malwares use phishing and social engineering techniques as their initial attack vectors. Apart from these techniques, exploitation of vulnerabilities, defense evasion, and persistence tactics are being observed.

2. Threat Actor in Focus

New Star Blizzard spear-phishing campaign targets WhatsApp accounts

  • Threat actor: Star Blizzard
  • Initial Attack Vector: Spear Phishing
  • Objective: Espionage
  • Target Technology: Communication platform (WhatsApp)
  • Target Geography: Ukraine
  • Target Industries: Ukraine NGO
  • Business Impact: Data exfiltration

Summary
Researchers recently discovered a new tactic employed by the Russian threat group Star Blizard, who have shifted their focus to compromising WhatsApp accounts.

Since November 2024, the group, previously known for targeting government, diplomatic, defense, and Ukraine-related organizations, has adapted its strategy by launching spear-phishing campaigns aimed at infiltrating WhatsApp. This marks a notable shift from their traditional attack methods.

This marks a significant departure from their usual methods, which involved using email attachments and links to steal sensitive information. The attacker’s primary targets have typically been government officials, international relations researchers, and entities involved in aiding Ukraine amid the ongoing conflict. The new campaign began with an email impersonating a U.S. government official, which contained a broken QR code intended to redirect the target to a WhatsApp group discussing Ukraine-related NGO initiatives. The broken code was a strategic move to prompt the target to engage with the email by responding.

Once the target responded, the attacker followed up with a second email containing a malicious link wrapped in a Safe Links-wrapped shortened URL. Clicking the link redirected the victim to a page displaying a legitimate-looking WhatsApp Web QR code, which misled the user into scanning it. Scanning the QR code linked the target’s WhatsApp account to a device controlled by the attacker. This allowed the threat actor to access and exfiltrate messages from the compromised WhatsApp account using browser-based plugins designed for WhatsApp Web. This tactic represents the first instance of the threat actor leveraging WhatsApp as an access vector, signaling a shift in their long-standing tactics and indicating a response to previous exposure and disruptions of their operations.

Although this campaign appeared to wind down by the end of November 2024, it highlights the persistence and adaptability of the threat actor in seeking new ways to gain access to sensitive information.

Relevancy & Insights
Star Blizzard, a Russian threat actor, has a history of targeting entities involved in government, diplomacy, defense policy, and international relations, particularly those with ties to Ukraine or Russia. Their tactics have primarily involved spear-phishing campaigns to exfiltrate sensitive data, often impersonating political figures to increase engagement. From January 2023 to August 2024, they targeted civil society organizations, including journalists, think tanks, and NGOs, to interfere with their activities. Despite being disrupted by coordinated actions from Microsoft and the US Department of Justice in October 2024, Star Blizzard quickly adapted by transitioning to new infrastructure. The November 2024 shift to WhatsApp-based phishing campaigns marks a significant change in their tactics, using QR codes and malicious links to compromise users’ WhatsApp accounts. This shift suggests a response to exposure of their TTPs, showcasing their resilience and adaptability in circumventing detection.

ETLM Assessment:
Star Blizzard, a Russian cyber threat actor, primarily targets individuals and organizations connected to government, diplomacy, defense policy, international relations, and support for Ukraine. Their geographical focus spans globally, with particular attention on countries involved in the Ukraine conflict or with diplomatic ties to Russia. Industries of interest include government entities, NGOs, think tanks, and defense researchers.

Historically, Star Blizzard has employed spear-phishing campaigns leveraging email and malicious links to exfiltrate sensitive information, often impersonating political figures.

Their attacks now include novel tactics, such as targeting WhatsApp accounts via QR code phishing, marking a shift in their techniques. While they have not been known to rely on specific malware consistently, their campaigns leverage various malicious tools to compromise systems and exfiltrate data. Given their adaptability and resilience, including the rapid shift to new domains and attack vectors after disruptions, Star Blizzard poses a persistent threat. Future risks include further evolution of their phishing strategies and expanded use of encrypted communication platforms like WhatsApp.

Recommendations:

Strategic Recommendations:

  • Develop an Adaptable Security Posture: Given the threat actor’s ability to shift tactics quickly, regularly assess and update your security policies and response strategies. Focus on agility, ensuring your teams are well-prepared for unexpected attack vectors, such as phishing campaigns leveraging new platforms like WhatsApp.
  • Executive Awareness and Training: As senior officials remain a primary target, ensure that top-level executives and decision-makers are regularly trained on recognizing spear-phishing attempts and other social engineering tactics.

Tactical Recommendations:

  • Implement Phishing and QR Code Detection: Ensure your security infrastructure, especially within your SOC, includes advanced phishing detection tools that specifically target QR code phishing attempts. Integrate protections for services like WhatsApp Web, as this is a new attack vector.
  • Strengthen Email Security: Configure advanced email filtering solutions that flag emails with suspicious QR codes or links to potentially harmful domains. Implement sandboxing for all external links before users click.

Operational Recommendations:

  • Leverage Endpoint Detection and Response (EDR): Given the evolving nature of the threat actor’s tactics, enhance EDR capabilities to detect signs of WhatsApp Web compromises or abnormal access patterns indicative of credential theft or unauthorized access.
  • Incident Response Playbook Updates: Update your playbooks to address specific scenarios involving phishing via QR codes or social media apps. Practice simulated phishing exercises regularly, incorporating these new tactics into your simulations.
  • IoC Monitoring: Continuously monitor the IoCs shared in this report (malicious domains, URLs, IPs) through your SOC, ensuring that any associated activity is swiftly flagged and investigated. Automate alerts for known phishing domains and frequently check for new IoCs that might emerge as the threat actor adapts.
MITRE FRAMEWORK
Tactic ID Technique
Reconnaissance T1593 Search Open Websites/Domains
Reconnaissance T1589 Gather Victim Identity Information
Resource Development T1585.001 Establish Accounts: Social Media Accounts
Resource Development T1585.002 Establish Accounts: Email Accounts
Resource Development T1583.001 Acquire Infrastructure: Domains
Resource Development T1586.002 Compromise Accounts: Email Accounts
Initial Access T1078 Valid Accounts
Initial Access T1566.001 Phishing: Spearphishing Attachment
Initial Access T1566.002 Phishing: Spearphishing Link
Defense Evasion T1550.004 Use Alternate Authentication Material: Web Session Cookie
Credential Access T1539 Steal Web Session Cookie
Collection T1114.002 Email Collection: Remote Email Collection
Collection T1114.003 Email Collection: Email Forwarding Rule

IOCs:
Kindly refer to the IOCs (Indicators of Compromise) Section to exercise controls on your security systems.

3. Major Geopolitical Developments in Cybersecurity

Trump Administration postponed TikTok ban, rescinded AI regulation
The U.S. Supreme Court upheld a law set to ban TikTok in the United States starting just before the inauguration of the new US President. However, the outgoing Biden Administration did not enforce the ban, instead leaving the decision to the incoming Trump Administration. Senate Democratic Leader Chuck Schumer revealed on the Senate floor that he had urged Biden to keep the app accessible, stating, “It’s clear that more time is needed to find an American buyer and not disrupt the lives and livelihoods of millions of Americans, including influencers who have built substantial networks of followers.”

President-elect Trump has since walked back his earlier calls to ban TikTok and pledged to find a solution to keep the app operational in the U.S. The new U.S. President Donald Trump signed an executive order extending TikTok’s deadline to remain operational in the United States. He hinted at pursuing a deal in which the
U.S. government would acquire a 50% stake in the company. TikTok briefly went offline in the U.S. late Saturday night before resuming operations on Sunday.

In addition, President Trump rescinded a 2023 executive order issued by President Joe Biden that required AI companies to share safety test results with the U.S. government if their systems posed potential national security risks.

ETLM Assessment
TikTok is only one facet of China’s broader information warfare strategy. The country has inundated American social media platforms with both bots and human- operated accounts aimed at spreading disinformation and fostering division.

In the past two years, China’s campaign has shifted focus from promoting predominantly pro-China narratives to more aggressively targeting U.S. political issues. This effort is part of a larger, multibillion-dollar influence campaign. Using millions of accounts across platforms such as X (formerly Twitter), YouTube, and even fringe platforms like Gab, the campaign seeks to promote pro-China messaging. It has also been a pioneer in adopting advanced techniques like AI-generated profile pictures to enhance credibility and impact.

Over the last five years, researchers monitoring this campaign have observed a consistent evolution in its tactics. These include leveraging video content, automated voiceovers, and, most recently, AI to generate profile images and content designed to exploit and exacerbate societal divisions.

4. Rise in Malware / Ransomware and Phishing

The Space Bears Ransomware Impacts Fukoku Co. Ltd.

  • Attack Type: Ransomware
  • Target Industry: Manufacturing
  • Target Geography: Japan
  • Ransomware: Space Bears Ransomware
  • Objective: Data Theft, Data Encryption, Financial Gains
  • Business Impact: Financial Loss, Data Loss, Reputational Damage

Summary
From the External Threat Landscape Management (ETLM) Perspective, CYFIRMA observed in an underground forum that a company from Japan; Fukoku Co. Ltd.(www[.]fukoku-jp[.]com), was compromised by Space Bears Ransomware. Fukoku Co., Ltd. is a Japanese company based in Yanagawa City, Fukuoka Prefecture, specializing in the development and manufacturing of products using non-woven fabrics. The compromised data includes databases, accounting information, sales records, purchasing details, drawings, prototypes, and production cycles.

Source: Dark Web

Relevancy & Insights:

  • Space Bears operates a dedicated leak site that was first identified in April 2024. This site is used to publish stolen data from victims, showcasing the group’s pivot towards data theft as a primary method of extortion.
  • Space Bears is associated with the Phobos ransomware-as-a-service (RaaS) operation. The group utilizes similar tactics and tools, including hosting stolen data on their leak site, which has been linked to the Faust operator within the Phobos ecosystem.
  • The Space Bears group employs double extortion strategies, where they not only encrypt files but also exfiltrate sensitive data before encryption. If the ransom is not paid, they threaten to leak this data publicly.
  • The Space Bears Ransomware group primarily targets countries, such as the United States of America, Canada, Spain, Germany, and Japan.
  • The Space Bears Ransomware group primarily targets industries, including Heavy Construction, Specialized Consumer Services, Healthcare, Oil & Gas, and Delivery Services.
  • Based on the Space Bears Ransomware victims list from 1st April 2024 to 22nd Jan 2025, the top 5 Target Countries are as follows:
  • The Top 10 Industries, most affected by Space Bears Ransomware from 1st April 2024 to 22nd Jan 2025 are as follows:

ETLM Assessment:
According to CYFIRMA’s assessment, Space Bears ransomware represents a significant threat in the evolving landscape of cybercrime. With its aggressive tactics, association with established ransomware operations like Phobos, and focus on double extortion, organizations are advised to bolster their cybersecurity measures to mitigate risks associated with such attacks. Continuous monitoring of this group’s activities will be essential for understanding their methods and potential impact on various sectors.

The RansomHub Ransomware Impacts Thai Rotary Engineering Public Co., Ltd. (TREL)

  • Attack Type: Ransomware
  • Target Industry: Engineering, Procurement, and Construction
  • Target Geography: Thailand
  • Ransomware: RansomHub Ransomware
  • Objective: Data Theft, Data Encryption, Financial Gains
  • Business Impact: Financial Loss, Data Loss, Reputational Damage

Summary
From the External Threat Landscape Management (ETLM) Perspective, CYFIRMA observed in an underground forum that a company from Thailand; Thai Rotary Engineering Public Co., Ltd. (TREL)(www[.]rotaryeng[.]co[.]th), was compromised by RansomHub Ransomware. Thai Rotary Engineering Public Co., Ltd. (TREL), is a leading engineering, procurement, and construction (EPC) company in Thailand. The company specializes in bulk storage terminal projects and offers mechanical fabrication services for the petrochemical and oil & gas industries, serving both local and regional markets. The compromised data consists of confidential and sensitive information related to the organization. The total size of the compromised data is approximately 170 GB.

Source: Dark Web

Relevancy & Insights:

  • The RansomHub Ransomware group operates as a Ransomware-as-a-Service (RaaS), allowing affiliates to leverage its infrastructure for attacks. They have adopted a “big game hunting” strategy, targeting larger enterprises that are more likely to pay substantial ransoms.
  • RansomHub has been linked to the ShadowSyndicate hacking group, which has adopted RansomHub’s ransomware for its operations. ShadowSyndicate reportedly shifted to using RansomHub due to lucrative affiliate rates, offering up to 90% of ransom payments to affiliates.
  • The RansomHub Ransomware group engages in double extortion tactics, threatening to leak stolen data if ransoms are not paid. They have been known to target cloud storage backups and misconfigured Amazon S3 instances to exert additional pressure on victims.
  • The RansomHub Ransomware group primarily targets countries like the United States of America, the United Kingdom, Brazil, Italy, and Australia.
  • The RansomHub Ransomware group primarily targets industries, such as Heavy Construction, Business Support Services, Specialized Consumer Services, Software, and Health Care Providers.
  • Based on the RansomHub Ransomware victims list from 1st Jan 2024 to 22nd Jan 2025, the top 5 Target Countries are as follows:
  • The Top 10 Industries, most affected by RansomHub Ransomware from 1st Jan 2024 to 22nd Jan 2025 are as follows:

ETLM Assessment:
Based on recent assessments by CYFIRMA, RansomHub ransomware is expected to intensify its operations across various industries worldwide, with a notable focus on regions in the United States, Europe, and Asia. This prediction is reinforced by the recent attack on Thai Rotary Engineering Public Co., Ltd. (TREL), a prominent Engineering, Procurement, and Construction company from Thailand, highlighting RansomHub’s significant threat presence in Southeast Asia.

5. Vulnerabilities and Exploits

Vulnerability in Vim

  • Attack Type: Vulnerabilities & Exploits
  • Target Technology: Client/Desktop application
  • Vulnerability: CVE-2025-24014
  • CVSS Base Score: 4.2 Source
  • Vulnerability Type: Out-of-bounds write
  • Summary: The vulnerability allows a remote attacker to compromise a vulnerable system.

Relevancy & Insights:
The vulnerability exists due to a boundary error when processing untrusted input.

Impact:
A remote attacker can create a specially crafted file, trick the victim into opening it using the affected software, trigger an out-of-bounds write, and execute arbitrary code on the target system.

Affected Products:
https[:]//github[.]com/vim/vim/security/advisories/GHSA-j3g9-wg22- v955

Recommendations:
Monitoring and Detection: Implement monitoring and detection mechanisms to identify unusual system behavior that might indicate an attempted exploitation of this vulnerability.

TOP 5 AFFECTED TECHNOLOGIES OF THE WEEK

This week, CYFIRMA researchers have observed significant impacts on various technologies, due to a range of vulnerabilities. The following are the top 5 most affected technologies.

ETLM Assessment
Vulnerability in Vim, a highly configurable text editor, can pose significant threats to user privacy and security. This can impact various industries globally, including technology, finance, healthcare, and beyond. Ensuring the security of Vim is crucial for maintaining the integrity and protection of users’ data worldwide. Therefore, addressing these vulnerabilities is essential to safeguarding text creation and editing processes, particularly in UNIX systems and Apple OS X environments, across different geographic regions and sectors.

6. Latest Cyber – Attacks, Incidents, and Breaches

Lynx Ransomware attacked and published the data of Jim Thompson

  • Threat Actor: Lynx Ransomware
  • Attack Type: Ransomware
  • Objective: Data Leak, Financial Gains
  • Target Technology: Web Applications
  • Target Industry: Luxury Lifestyle and Textile
  • Target Geography: Thailand
  • Business Impact: Operational Disruption, Data Loss, Financial Loss, Potential Reputational Damage

Summary
Recently, we observed that Lynx Ransomware attacked and published the data of Jim Thompson(www[.]jimthompson[.]com) on its dark web website. Jim Thompson is a renowned global lifestyle brand originating from Thailand, celebrated for its exquisite silk products and rich heritage. Jim Thompson ships internationally to several countries, including the USA, Japan, Australia, and various European nations. The ransomware attack resulted in a data leak containing confidential and sensitive organizational information. The total size of compromised data is approximately 230 GB.

Source: Dark Web

Relevancy & Insights:

  • Lynx operates under a RaaS model, allowing affiliates to deploy the ransomware in exchange for a share of the ransom payments. This model has contributed to its rapid proliferation.
  • Lynx employs a double extortion strategy, where it not only encrypts files on the victim’s system but also exfiltrates sensitive data beforehand. If the ransom is not paid, the group threatens to leak or sell this data on their leak sites.

ETLM Assessment:
According to CYFIRMA’s assessment, Lynx Ransomware represents a significant threat in the evolving landscape of cybercrime. Its sophisticated techniques and aggressive tactics necessitate robust cybersecurity measures from organizations to mitigate risks associated with ransomware attacks. As this group continues to operate, ongoing monitoring and analysis will be crucial for understanding their methods and developing effective defenses against them.

7. Data Leaks

NETSE Data Advertised on a Leak Site

  • Attack Type: Data Leak
  • Target Industry: E-commerce and Online Grocery Delivery
  • Target Geography: India
  • Objective: Financial Gains
  • Business Impact: Data Loss, Reputational Damage

Summary
The CYFIRMA Research team observed a data leak related to NETSE (https[:]//netse[.]in) in an underground forum. NETSE is a one-stop online grocery shop for all household needs including Fresh Fruits, Vegetables, Groceries, Personal care products, and much more. The compromised data includes the complete address, item details (item, quantity, unit, rate, and total), order number, phone number, customer name, and user ID. The breach has been linked to a threat actor identified as “888.”

Source: Underground forums

Ahmadalmutawa Data Advertised on a Leak Site

  • Attack Type: Data Leak
  • Target Geography: Business consulting and Professional Training
  • Target Industry: Kuwait
  • Objective: Data Theft, Financial Gains
  • Business Impact: Data Loss, Reputational Damage

Summary:
The CYFIRMA Research team observed a data leak related to Ahmadalmutawa (https[:]//www[.]ahmadalmutawa[.]com) in an underground forum. The website ahmadalmutawa[.]com is an online platform offering courses, consultations, and resources designed to empower entrepreneurs and business owners. Ahmad Al- Mutawa, the founder, is a seasoned entrepreneur, business coach, and motivational speaker with a focus on supporting small and medium enterprises (SMEs) and fostering personal and professional growth. The compromised data includes email addresses, password hashes, addresses, first and last names, and phone numbers. The total size of the compromised data is 4.41 MB and is stored in CSV format. The breach has been attributed to a threat actor known as “Empathy.”

Source: Underground forums

Relevancy & Insights:
Financially motivated cybercriminals are continuously scouring for exposed and vulnerable systems and applications to exploit. A significant number of these malicious actors congregate within underground forums, where they discuss cybercrime and trade stolen digital assets. Operating discreetly, these opportunistic attackers target unpatched systems or vulnerabilities in applications to illicitly gain access and steal valuable data.

Subsequently, the pilfered data is advertised for sale within underground markets, where it can be acquired, repurposed, and utilized by other malicious actors in further illicit activities.

ETLM Assessment:
The threat actor “888” continues to be active in the cybercrime landscape, making bold claims about breaches while often facing scrutiny regarding the validity of those claims. Organizations are advised to bolster their defenses against potential attacks from this group and similar cybercriminals.

Recommendations: Enhance the cybersecurity posture by:

  1. Updating all software products to their latest versions is essential to mitigate the risk of vulnerabilities being exploited.
  2. Ensure proper database configuration to mitigate the risk of database-related attacks.
  3. Establish robust password management policies, incorporating multi-factor authentication and role-based access to fortify credential security and prevent unauthorized access.

8. Other Observations

The CYFIRMA Research team observed a data leak related to OnlineTVRecorder (https[:]//www[.]onlinetvrecorder[.]com/) in an underground forum.

OnlineTvRecorder (OTR) is a web-based service that allows users to record television broadcasts from over 100 channels across various countries, including Germany, the USA, the UK, Austria, and Switzerland. OTR functions as a comprehensive media library, enabling users to watch or download films and shows for free. The compromised data includes user IDs, emails, nicknames, passwords, activation codes, newsletter subscriptions, registration details, recording start times, download history, overall downloads, ratings, last login information, paid status, and other sensitive data. The breach has been attributed to a threat actor known as “Ddarknotevil.”

Source: Underground Forums

The CYFIRMA Research team observed a data leak related to Tech Meetups (http[:]//www[.]techstartupjobs[.]com) in an underground forum.TechMeetups is a global community operating for 15+ years with 29 interconnected communities, 500+ job fairs, and 4,000+ hiring partners. The compromised data consists of 30,671 records, including a unique user ID, login username, hashed/encrypted password, nickname, email address, personal/website URL, activation key, account status, and display name. The breach has been attributed to a threat actor known as “Rey.

Source: Underground Forums

ETLM Assessment:
Threat actor “Ddarknotevil” represents a notable threat within the cybercriminal landscape, particularly through their involvement in high-profile data breaches and sales of stolen information. Organizations are urged to enhance their cybersecurity defenses and remain vigilant against such threats to safeguard their sensitive data and maintain customer trust. Continuous monitoring of threat actors like Ddarknotevil is essential for effective incident response strategies in an evolving cyber threat environment.

STRATEGIC RECOMMENDATIONS

  • Attack Surface Management should be adopted by organisations, ensuring that a continuous closed-loop process is created between attack surface monitoring and security testing.
  • Delay a unified threat management strategy – including malware detection, deep learning neural networks, and anti-exploit technology – combined with vulnerability and risk mitigation processes.
  • Incorporate Digital Risk Protection (DRP) in the overall security posture that acts as a proactive defence against external threats targeting unsuspecting customers.
  • Implement a holistic security strategy that includes controls for attack surface reduction, effective patch management, and active network monitoring, through next-generation security solutions and a ready-to-go incident response plan.
  • Create risk-based vulnerability management with deep knowledge about each asset. Assign a triaged risk score based on the type of vulnerability and criticality of the asset to help ensure that the most severe and dangerous vulnerabilities are dealt with first.

MANAGEMENT RECOMMENDATIONS

  • Take advantage of global Cyber Intelligence providing valuable insights on threat actor activity, detection, and mitigation techniques.
  • Proactively monitor the effectiveness of risk-based information security strategy, the security controls applied, and the proper implementation of security technologies, followed by corrective actions remediations, and lessons learned.
  • Consider implementing Network Traffic Analysis (NTA) and Network Detection and Response (NDR) security systems to compensate for the shortcomings of EDR and SIEM solutions.
  • Detection processes are tested to ensure awareness of anomalous events. Timely communication of anomalies and continuously evolved to keep up with refined ransomware threats.

TACTICAL RECOMMENDATIONS

  • Patch software/applications as soon as updates are available. Where feasible, automated remediation should be deployed since vulnerabilities are one of the top attack vectors.
  • Consider using security automation to speed up threat detection, improved incident response, increased the visibility of security metrics, and rapid execution of security checklists.
  • Build and undertake safeguarding measures by monitoring/ blocking the IOCs and strengthening defences based on the tactical intelligence provided.
  • Deploy detection technologies that are behavioral anomaly-based to detect ransomware attacks and help to take appropriate measures.
  • Implement a combination of security control such as reCAPTCHA (completely Automated Public Turing test to tell Computers and Humans Apart), Device fingerprinting, IP backlisting, Rate-limiting, and Account lockout to thwart automated brute-force attacks.
  • Ensure email and web content filtering uses real-time blocklists, reputation services, and other similar mechanisms to avoid accepting content from known and potentially malicious sources.

Situational Awareness – Cyber News

Please find the Geography-Wise and Industry-Wise breakup of cyber news for the last 5 days as part of the situational awareness pillar

Geography-Wise Graph

Industry-Wise Graph

For situational awareness intelligence and specific insights mapped to your organisation’s geography, industry, and technology, please access DeCYFIR.