Self Assessment

Weekly Intelligence Report – 25 Aug 2023

Published On : 2023-08-25
Share :
Weekly Intelligence Report – 25 Aug 2023

Ransomware of the Week

CYFIRMA Research and Advisory Team would like to highlight ransomware trends and insights gathered while monitoring various forums. This includes multiple – industries, geography, and technology – which could be relevant to your organization.

Type: Ransomware.
Target Technologies: MS Windows.
Targeted Geography: Austria, Netherlands.
Targeted Industries: Hotel, Retailers.


CYFIRMA Research and Advisory Team has found a new INC ransomware while monitoring various underground forums as part of our Threat Discovery Process.

Relevancy: This ransomware targets the Windows Operating system commonly used by many organizations of various industries. The recent victim is: A retail Industry in the Netherlands.

INC ransomware:

Researchers have identified a new ransomware strain called INC, targeting large commercial entities. The ransomware will encrypt the file and append it with the “.INC” extension.

After the encryption process was concluded, INC ransomware created a ransom note titled “INC-README.txt”.

Ransomware Attack Breakdown

“Server 1,” “Server 2,” and “Server 3” are references to different computer systems or servers that were involved in the sequence of events. They are distinct server instances that were accessed and interacted with by the threat actor during various stages of the attack.

The research uncovered initial signs of the ransomware threat actor’s activity, marked by brief 2-3 second connections to Server 1. These connections, originating from the same IP address, utilized three distinct source system names (ylqlCXO9VdRiZ5JK, aJLXC9TzxgInkqf4, and UxUZNZXxMeBN2jox). All accessed the target system using the same account name.

About four and a half hours later, compromised credentials were utilized for Remote Desktop Protocol (RDP) access to the same system. This 30-minute connection involved minimal enumeration activities, including commands like ‘net group domain admins /domain’ and ‘nltest.exe’.

Subsequently, a brief RDP login to Server 2 was noted, employing previously observed credentials. During this session, several 7-Zip commands were used for data collection in a consistent format: 7.exe a -mx3 -xr!*.exe -xr!*.mp4 -xr!*.wmv -xr!*.mov -xr!*.avi -xr!*.MXF -xr!*.MTS -xr!*.vhd <archive name> <source folder>.

Native tools (Wordpad.exe, Notepad.exe, MSPaint) were used by the threat actor to view documents and images. Moreover, MEGASync installation on Server 2 likely aided data exfiltration.

The threat actor revisited Server 2 via RDP, repeating collection and data staging commands. Later, they accessed Server 3 via RDP, followed by installing Advanced IP Scanner. Shortly after, lateral movement to Server 2 occurred via RDP.

During the Server 3 logon, the threat actor employed Internet Explorer (iexplore.exe) to browse other systems’ folders and mstsc.exe to attempt lateral movement. PuTTY was installed, and around three hours later, credential access commands were executed on all servers. Roughly four hours following the Server 3 logon, the threat actor executed copy and wmic.exe commands consecutively, distributing the file encryption executable to various endpoints. Additionally, PSExec was used to launch the executable, renamed “winupd,” resulting in System Event Log records.

While the research revealed difficulties in running the encryption executable on Server 3, with no signs of encrypted files or ransom notes, the threat actor attempted troubleshooting using <redacted>.exe –debug commands.

Files Encrypted by INC Ransomware(Source: Surface web)

INC Ransomware Note (source: surface web)

Countries Targeted by INC Ransomware


  • Tool Diversity for Data Handling: The threat actor utilized various tools for data handling. Native tools like Wordpad.exe, Notepad.exe, and MSPaint were used to view files, while MEGASync was installed to aid data exfiltration, indicating a versatile approach.
  • Dynamic Execution of Encryption: The threat actor’s execution of the encryption process involved sequential steps, including distributing the encryption executable to multiple endpoints using copy and wmic.exe commands. This dynamic approach demonstrated an organized deployment strategy.
  • Troubleshooting and Adaptation: The threat actor demonstrated adaptability by attempting to troubleshoot issues faced during encryption execution on Server 3. Their use of <redacted>.exe –debug commands reflects their willingness to adapt and resolve technical challenges to achieve their goals. This also shows the lack of indicator removal capabilities as the traces were not removed after debugging.
  • Based on the list of victims, it is conceivable that the ransomware’s primary focus might be countries within Europe.

Following are the TTPs based on MITRE Attack Framework.

Sr. No Tactics Techniques/Sub-Techniques
1 TA0001: Initial Access T1078.002: Valid Accounts: Domain Accounts
2 TA0002: Execution  T1059.001: Command and Scripting Interpreter: PowerShell
 T1059.003: Command and Scripting Interpreter: Windows Command Shell
T1047: Windows Management Instrumentation
3 TA0003: Persistence T1078.002: Valid Accounts: Domain Accounts
4 TA0004: Privilege Escalation T1078.002: Valid Accounts: Domain Accounts
5 TA0006: Credential Access T1003.001: OS Credential Dumping: LSASS Memory
6 TA0007: Discovery T1482: Domain Trust Discovery
7 TA0008: Lateral Movement T1021.001: Remote Services: Remote Desktop Protocol
T1021.002: Remote Services: SMB/Windows Admin Shares
8 TA0009: Collection T1560.001: Archive Collected Data: Archive via Utility
9 TA0010: Exfiltration T1567.002: Exfiltration Over Web Service: Exfiltration to Cloud Storage
10 TA0040: Impact T1486: Data Encrypted for Impact

Indicators of Compromise

Kindly refer to the IOCs section to exercise controls on your security systems.


  • Implement competent security protocols and encryption, authentication, or access credentials configurations to access critical systems in your cloud and local environments.
  • Ensure that backups of critical systems are maintained which can be used to restore data in case a need arises.


  • A data breach prevention plan must be developed considering, (a) the type of data being managed by the company; (b) the remediation process; (c) where and how the data is stored; (d) if there is an obligation to notify the local authority.
  • Enable zero-trust architecture and multifactor authentication (MFA) to mitigate the compromise of credentials.
  • Foster a culture of cybersecurity, where you encourage and invest in employee training so that security is an integral part of your organization.


  • Build and undertake safeguarding measures by monitoring/ blocking the IOCs and strengthening defence based on the tactical intelligence provided.
  • Update all applications/software regularly with the latest versions and security patches alike.

Trending Malware of the Week

Type: Remote Access Trojan (RAT)
Objective: Information Stealing
Target Technology: Windows OS
Active Malware of the Week
This week “QwixxRAT” is trending.


In August 2023, researchers found a malware called QwixxRAT (also known as Telegram RAT). It is being distributed by a threat actor through platforms like Telegram and Discord. This malware is designed to secretly gather sensitive information from Windows computers where it’s installed. The collected data is then sent to the attacker’s Telegram bot, giving them unauthorized access to the victim’s private information. This threat affects both businesses and individual users, as the malware discreetly infects devices and extracts a broad range of data.

Attack method

The QwixxRAT file is a C#-compiled binary, functioning as a 32-bit executable file designed for CPU operations. QwixxRAT is designed to collect lots of different types of information, like web history, credit card details, and even what keys are pressed. This RAT can do more than just steal data; it has powerful tools that let the attackers control the computers it infects. They can give commands and even make the computers stop working.

QwixxRAT has 19 functions that each do different things. It also has a special configuration function that decides how it acts on the computer it’s on. This configuration function contains various values, which can be in the form of booleans, file extensions, or other types of data. Based on these values, the RAT adapts its actions accordingly.

Functions of QwixxRAT

Function 1: HideConsoleWindow – As this is a CPU program, the threat actor conceals the console to remain covert.

Function 2: CheckMutex – The threat actor uses a mutex value check to stop the program from running twice. They generate an MD5 value for the string and check if the current user has special powers (admin privileges). If the user is an admin, the threat actor creates a new mutex using the string to make sure only one copy of the program runs on the computer.

Function 3: SecurityProtocol – This code snippet sets the “ServicePointManager.SecurityProtocol” property to enable support for multiple secure network protocols. The application ensures backward compatibility and broader compatibility with various servers and clients by including SSL 3.0, TLS 1.0, TLS 1.1, and TLS 1.2. This configuration allows the application to securely communicate with servers requiring different SSL/TLS versions to establish secure connections.

Function 4: Elevate Privileges – The code tries to make the program run with admin rights by restarting itself (Hidden Attribute) with the “runas” verb. If the user says no or if the settings prevent it, the code keeps trying to get admin rights using a loop.

Function 5: Sleep – To evade AV/EDR/Sandbox detection, the threat actor incorporates the sleep function to introduce a delay in the execution process.

Function 6: runAntiAnalysis – The threat actor employed three methods for anti-analysis purposes: Sandboxie, VirtualBox, and Debugger.

  • Sandbox check: The code checks if it’s running in a sandbox environment by searching for specific DLLs linked to sandboxing software like SbieDll.dll SxIn.dll, Sf2.dll, snxhk.dll, and cmdvrt32.dll. If it finds any of these DLLs loaded within the current process, the attacker instantly terminates the code execution, understanding that it is running in a sandbox environment.
  • VirtualBox – To check if the file is running in a virtual environment, the threat actor used two WMI queries. First, they used “Select * from Win32_ComputerSystem” to look at “Manufacturer” and “Model” fields. If the strings contain words like “virtual,” “vmware,” or “VirtualBox,” the process stops. Second, they used “SELECT * FROM Win32_VideoController” to check the “Name” property with GetPropertyValue. If the strings contain “VMware” or “VBox,” the process stops too.
  • Debugger – The code tries to find out if the current application is being run under a debugger. It does this by waiting a short time and then seeing if the time that passed is short, like 1 microsecond. The underlying assumption is that that if a debugger is present, there might be delays, causing a smaller time difference. If this happens, the program is terminated as a security measure.

Function 7: installSelf – The threat actor looks for a file at “C:\Users\Chrome\rat.exe”. If it’s not found there, the code copies itself to that location and hides the file.

Function 8: setAutorun – A scheduled task is created for the hidden file located at “C:\Users\Chrome\rat.exe”.

Function 9: MeltFile – The code has a self-destruction feature made for a C# program. When certain conditions are met, it makes a temporary batch script that waits for itself to close. After it closes, it erases the program’s file and starts again from a specific spot called InstallPath (“C:\Users\Chrome\rat.exe”). This type of self-destruction is commonly seen in malware to hide or in security tools to delete sensitive parts once they’re done. The batch script checks if there’s a parent process with a certain ID (1207) and waits until it’s there. When the parent process is found, the script removes the “stealer.exe” file (which is the parent), switches to the “C:\Users\Chrome” folder, and then runs the “rat.exe” program (which is a copy of the parent).

Function 10: isConnectedToInternet – The code checks if there’s an internet connection by pinging “” and “”. It keeps trying until both sites respond, and it prints messages status messages to the console during the process.

Function 11: processCheckerThread – The code monitors the processes running on the system and checks for specific ones like “taskmgr,” “processhacker,” “netstat,” “netmon,” “tcpview,” “wireshark,” “filemon,” “regmon,” and “cain.” If any of these are found, it stops the network activity and waits until the process is gone. When the process is gone, the network activity starts again, and the code sends a message to a Telegram bot to tell it that the blocked process was detected.

Function 12: keyloggerThread – The code has a function that captures keyboard events and saves them to a file. It changes special keys into understandable forms and organizes the keystrokes based on the window’s title. Keyboard hooks are used for things like keylogging and handling hotkeys. It’s important to know that while keyboard hooks can be used for good things like accessibility, they can also be misused for bad things like secret keylogging without the user knowing.

Function 13: AutoStealerThread – The code is made to secretly collect private information from a specific computer. It takes screenshots, gets login details, credit card info, web history, FTP credentials, messenger data, and data from the Steam platform. Then, it sends all this taken data to the attacker using a hidden Telegram channel.

Function 14: Clipper – The threat actor may exploit clipboard manager APIs to illicitly access sensitive information copied to the device’s clipboard. The code aims to extract cryptocurrency wallet information from the following organizations: Monero, Ethereum, and Bitcoin.

Function 15: protectProcess – By adjusting “SeDebugPrivilege” to level 2, your program gains a special privilege known as “Debug Privilege.” This privilege is typically needed for specific tasks like debugging or system administration.

Function 16: PreventSleep – It’s worth mentioning that the value 2147483651U used in this context represents a combination of flags (ES_CONTINUOUS, ES_SYSTEM_REQUIRED, and ES_AWAYMODE_REQUIRED) to set the system’s execution state. These flags ensure that the system remains continuously active, preventing sleep or idle mode, even if the user is away, such as during presentations or video playback.

Function 17: sendConnection – The purpose of this code is to send a text message to a specific chat on Telegram using a Telegram bot.

Function 18: waitCommandsThread – The code sets up a loop to keep an eye on messages and commands from the Telegram bot. It reacts quickly based on these messages, like downloading files, running commands, or telling the bot owner about unknown messages. This way, the code makes sure the bot stays active and deals with new messages quickly.

Function 19: MainForm – The code makes the main form of the app borderless and hidden from the taskbar. Also, the app is given high priority when the system is shutting down, so it can finish important tasks before the system turns off.


  • QwixxRAT seems to be a type of malicious software created by cybercriminals to carry out harmful activities on computers. It’s like a digital spy that they distribute through messaging platforms like Telegram and Discord, which many people use. This RAT is probably designed to secretly get into people’s computers, steal their private information, and allow the attackers to control the computer from afar.
  • The excerpt highlights a concerning aspect of the cybercriminal landscape, specifically related to the sale and distribution of malicious tools like RATs. It illustrates how cybercriminals are adapting a business-oriented approach, capitalizing on the demand for ready-to-use hacking tools. This trend underscores the evolving sophistication of cybercrime, where attackers not only create malware like QwixxRAT but also modify, enhance, and commercialize it for profit.
  • A threat actor is using both Telegram and Discord to sell a QwixxRAT. They have a price list for different access options, including permanent access for 500 rubles and one-week access for 150 rubles. After a purchase, they create a separate channel for the buyer to access the gathered data.

Indicators of Compromise

Kindly refer to the IOCs Section to exercise controls on your security systems.

YARA Rules

rule QwixxRAT
malware_name = “QwixxRAT”
description = “QwixxRAT is a trojan designed to extract browser cookies, histories, credit card information and capture keylogger activities from targeted devices”
version = “1”

$string_0 = “[CAPSLOCK: ON]” ascii wide
$string_1 = “[ESC]” ascii wide
$string_2 = “webcam.png” ascii wide
$string_3 = “SELECT * FROM win32_operatingsystem” ascii wide
$string_4 = “\\User Data\\Default\\Login Data” ascii wide
$string_5 = “recentservers.xml” ascii wide
$string_6 = “credit_cards.txt” ascii wide
$string_7 = “Tasklist /fi” ascii wide
$string_8 = “Select * from AntivirusProduct” ascii wide
$string_9 = “\\keylogs.txt” ascii wide
$string_10 = “AutoStealer” ascii wide

all of them
(Source: Surface Web)


  • Deploy an Extended Detection and Response (XDR) solution as part of the organization’s layered security strategy that provides detection/prevention for malware and malicious activities that do not rely on signature-based detection methods.
  • Configure organization’s intrusion detection systems (IDS), intrusion prevention systems (IPS), or any network defence mechanisms in place to alert on — and upon review, consider blocking connection attempts to and from — the external IP addresses and domains listed in the appendix.
  • Establish a robust security posture that is thoughtfully layered with a series of security mechanisms and controls in the network to protect the confidentiality, integrity, and availability of critical data.


  • Strengthen boundary defence such as network segmentation and have a strong access management capability in line with the Principle of Least Privilege (POLP) that can assist in mitigating cyberattacks.
  • Implement real-time website monitoring to analyze network traffic going in and out of the website to detect malicious behaviours.
  • Ensure compromised systems are disconnected from the network and powered down as soon as possible.
  • Enable zero-trust architecture and multifactor authentication (MFA) to mitigate compromise of credentials.


  • Build and undertake safeguarding measures by monitoring/ blocking the IOCs and strengthening defence based on the tactical intelligence provided.
  • Employ robust endpoint security options that will allow your IT team to identify what confidential information is being stolen, when, and through what specific channel or device.
  • Use multi-factor authentication (MFA) to mitigate credential theft and prevent attacker access. Keep MFA always-on for privileged accounts and apply risk-based MFA for normal accounts.
  • Add the YARA rules for threat detection and monitoring in SIEM/SOAR solutions which will help to detect anomalies in log events, identify and monitor suspicious activities.

Weekly Intelligence Trends/Advisory

Weekly Attack Type and Trends

Key Intelligence Signals:

  • Attack Type: Malware Implants, Ransomware Attacks, Vulnerabilities & Exploits, DDoS, Data Leaks.
  • Objective: Unauthorized Access, Data Theft, Data Encryption, Financial Gain.
  • Business Impact: Data Loss, Financial Loss, Reputational Damage, Loss of Intellectual Property, Operational Disruption, Reputational Damage.
  • Ransomware –Play Ransomware | Malware – QwixxRAT
  • Play Ransomware – One of the ransomware groups.
  • Please refer to the trending malware advisory for details on the following:
  • Malware – QwixxRAT
  • Behavior –Most of this malware uses phishing and social engineering techniques as its initial attack vector. Apart from these techniques, exploitation of vulnerabilities, defence evasion, and persistence tactics are being observed.

Threat Actor in Focus

A New APT Carderbee Exploits Legitimate Software for Malware Distribution

  • Threat Actors: Carderbee
  • Attack Type: Supply Chain
  • Objective: Unknown
  • Target Technology: Windows
  • Target Geographies: Hong Kong and other regions of Asia
  • Business Impact: Operational Disruption

In a recent observation, a newly identified advanced persistent threat (APT) group named Carderbee has executed a sophisticated supply chain attack, using the legitimate Cobra DocGuard software to infiltrate victim computers and deploy the Korplug backdoor (also known as PlugX). The attackers leveraged a legitimate Microsoft certificate to sign their malware, evading detection and enhancing their credibility. Predominantly targeting victims in Hong Kong, with some across Asia, the campaign’s primary aim was to distribute the Korplug backdoor. The campaign’s origins remain uncertain, and while Korplug is associated with various APT groups, this activity couldn’t be definitively linked to any known threat actor. Cobra DocGuard, a product by China-based EsafeNet, was exploited in this operation, hinting at a carefully orchestrated supply chain attack. The attackers demonstrated precision by infecting around 100 computers, out of approximately 2,000 with the Cobra DocGuard software, signifying targeted payload delivery. The attack’s multi-stage process involved a downloader with a valid Microsoft certificate, used to introduce the Korplug backdoor. The attackers skilfully manipulated the legitimate update process of Cobra DocGuard to execute their malicious actions, deploying x64 and x86 drivers to manipulate and compromise victim systems.

The APT group demonstrated a clear understanding of how to exploit the trust associated with legitimate software, as they manipulated the update process of the Cobra DocGuard software to deliver their malicious payload. This tactic not only bypassed traditional security measures but also exploited a vector that many users and organizations consider safe. On top of it, the threat actor choosing 100 specific targets out of 2000, hints about good strategic planning that could further help in evading detection.

Indicators of Compromise
Kindly refer to the IOCs (Indicators of Compromise) Section to exercise controls on your security systems.

Major Geopolitical Developments in Cybersecurity

North Korean hackers target South Korea–US military exercises
South Korea’s Police have announced that the North Korean threat actor known as Kimsuky has targeted South Korean contractors, working for a joint military exercise between the US and South Korea. The agency found that an IP address used in the attack was also used in an alleged Kimsuky hack against a South Korean nuclear reactor operator in 2014.

The threat actor has reportedly used spearphishing attacks in an attempt to steal information, however, the police agency stated that no classified or military-related information was stolen. North Korea has initiated the attacks in response to South Korean and U.S. forces’ 11-day Ulchi Freedom Guardian summer exercises, which are targeting the improvement of their joint ability to respond to North Korea’s evolving nuclear and missile threats.

US Intelligence Agencies Warn of Cyber Threats to Space Systems
The US Federal Bureau of Investigation (FBI), the National Counterintelligence and Security Center (NCSC), and the Air Force Office of Special Investigations (AFOSI) have issued a bulletin outlining cyberespionage threats targeting the space industry. As per the report, foreign spies and hackers are targeting the commercial space industry as they recognize the importance of the US economy and national security, including the growing dependence of critical infrastructure on space-based assets. These are not only seen as a potentially vulnerable point of the world’s biggest economy, but also as valuable opportunities to acquire vital technologies, free-of-charge technological innovation, and expertise. Cyberattacks are then typically targeting key supply chain nodes in a bid to gain access to classified assets.

The warning bears heavily on the threat to intellectual property, which was a topic of a recent CYFIRMA report on Chinese state IP theft programs, but it also warns against direct threats to space systems themselves. China and Russia represent serious adversaries in this field, and US Intelligence agencies posit that any future war will open with a cyberattack against satellite systems. Russia’s invasion of Ukraine has confirmed the template with Russian military intelligence hacking key satellite communications, utilized by the Ukrainian army on the first day of its attack on the country.

Former Head of Russian Cyberspace Information Operations Presumed Dead
Russia’s most powerful mercenary Yevgeny Prigozhin was on board a plane that crashed on the evening of 23rd August, north of Moscow with no survivors, according to Russian authorities. The crash, which was filmed live by onlookers, has been according to yet unconfirmed reports caused by Russian anti-aircraft missiles.

Prigozhin’s death would leave the Wagner Group, which incurred President Vladimir Putin’s wrath in June by staging an abortive armed mutiny against the army’s top brass, leaderless, and raise questions about its future operations in cyberspace and elsewhere. Whatever the cause of the crash, his death would also rid President Putin of a person responsible for the most serious challenge to the Russian leader’s authority since he came to power in 1999. To read more on Yevgeny Prigozhin and his activities including his sponsoring of the infamous Russian troll factory, which tried to influence American elections.

Rise in Malware/Ransomware and Phishing

Bolton Group is Impacted by Play Ransomware

  • Attack Type: Ransomware
  • Target Industry: Consumer goods
  • Target Geography: Italy
  • Ransomware: Play Ransomware
  • Objective: Data Theft, Data Encryption, Financial Gains
  • Business Impact: Financial Loss, Data Loss, Reputational Damage

From the External Threat Landscape Management (ETLM) Perspective, CYFIRMA observed in the dark forum that a company from Italy, (www[.]boltongroup[.]net), was compromised by Play Ransomware. Bolton Group is a multinational that has been producing and distributing for over 70 years a vast range of innovative and sustainable branded products. Currently, the data that was compromised has not been disclosed on the leaked website. This implies that potential negotiations might be taking place between the targeted party and the ransomware group. The data that has been compromised includes sensitive and personal confidential information, as well as documents related to clients and employees, such as passports, IDs, financial records, and tax documents.

The following screenshot was observed published on the dark web:

Source: Dark Web


  • Recently we observed that the Play Group breaks into MSP (managed service providers) systems and uses their remote monitoring and management (RMM) tools to get unfettered access to the networks and systems of customers of the MSPs. It is a tactic that other threat actors have used with substantial impact. The most notable example remains the REvil ransomware group’s attack on multiple MSPs via vulnerabilities in Kaseya’s Virtual System Administrator (VSA) network monitoring tool. The attack resulted in the encryption of data on the systems of more than 1,000 customers of these MSPs. The Play actors gain access to a customer environment — via the victim’s MSP — they move quickly to deploy additional exploits and broaden their foothold.
  • Play’s focus is directed towards midsize enterprises, within sectors like finance, legal services, software development, shipping, law enforcement, and logistics. Their primary geographical targets encompass the United States, Australia, the United Kingdom, Italy, and other nations. Moreover, Play’s ransomware operations extend to encompass governmental bodies at state, local, and tribal levels, across the same set of countries.
  • The group’s arsenal has seen expansion through the incorporation of fresh exploits, including tools like ProxyNotShell, OWASSRF, and a method for remote code execution on Microsoft Exchange Servers. Beyond utilizing remote desktop protocol servers as a means of infiltrating networks, Play ransomware has also demonstrated utilization of vulnerabilities within FortiOS, specifically those tracked as CVE-2018-13379 and CVE-2020-12812.

Vulnerabilities and Exploits

Vulnerability in Ivanti Sentry

  • Attack Type: Vulnerabilities & Exploits
  • Target Technology: MobileIron Sentry (Client/Desktop Application / Other client software)
  • Vulnerability: CVE-2023-38035 (CVSS Base Score 9.8)
  • Vulnerability Type: Improper Authentication
  • Patch available: Yes
  • Exploited in the wild: Yes

The vulnerability allows a remote attacker to bypass authentication process.

The vulnerability exists due to missing authentication on certain APIs.

A remote attacker can send a specially crafted HTTP request to port 8443/TCP, bypass authentication process, and execute arbitrary code on the system. Affected Products: https[:]//www[.]ivanti[.]com/blog/cve-2023-38035-vulnerability-affecting-ivanti-sentry

Latest Cyber-Attacks, Incidents, and Breaches

NoName hackers target nine institutions within Norway’s critical infrastructure

  • Threat Actors: NoName
  • Attack Type: DDoS
  • Objective: Operational Disruption
  • Target Geographies: Norway
  • Target Industries: Government and private companies
  • Business Impact: Operational Disruption

The latest incident involves the NoName hackers’ group, which has once again directed its attention towards Norway. This time, they have asserted responsibility for an assault on nine essential infrastructural systems within the nation. This recent event contributes to the ongoing sequence of cyber incursions targeting Norway. The attack on Norway’s infrastructure was initiated through a Distributed Denial of Service (DDoS) attack, as disclosed by the threat actors. The NoName ransomware group has imprinted its digital signature by vandalizing numerous websites, as evidenced by their online statements and compromised links. The entities affected encompass both governmental entities and private enterprises, underscoring the expansive aspirations of the attackers. Prominent organizations have been identified as targets in the purported cyber assault on Norway. These comprise Bompengeselskap Nord AS (BPS Nord), a toll firm in Norway owned by Nordland and Troms og Finnmark counties; Ferde AS, a toll company in Norway owned by Agder, Rogaland, and Vestland counties; Ruter AS, the public transportation authority serving Oslo and Akershus counties; Boreal Norge AS, a Norwegian public transport operator with activities spanning multiple counties; the highest legislative body in Norway, Stortinget (Norwegian Parliament); and the governing body of Oslo, the capital city, Oslo Municipality.

Source: Twitter

Although unquestionably concerning, the cyber-attack on Norway is not an unprecedented occurrence for the country. In June 2022, Norway encountered a distributed denial-of-service (DDoS) attack that caused disruptions across multiple entities. Subsequently, in July 2023, diverse ministries within the Norwegian government fell victim to a cyber-attack. The Norway Security Authority documented this attack, attributing it to a “criminal Pro-Russia” collective. Thankfully, no sensitive information was compromised during this cyber assault on Norway.

Data Leaks

Carsworld’s Data Advertised in Leak Site

  • Attack Type: Data Leaks
  • Target Industry: Retail
  • Target Geography: Indonesia
  • Target Technology: SQL Database
  • Objective: Data Theft, Financial Gains
  • Business Impact: Data Loss, Reputational Damage

CYFIRMA Research team observed a potential data leak related to Carsworld, {www[.]carsworld[.]id}. Carworld stands as an automotive dealership founded on three core principles: Speed, Innovation, and Trust. The data that has been breached includes details like merchant ID, category ID, name, email, phone number, WhatsApp information, and various other confidential data in SQL format.

Source: Underground forums

Constantly seeking financial gains, opportunistic cybercriminals remain vigilant for accessible and weak systems and applications. Most of these attackers participate in clandestine discussions within underground forums, where they engage in the purchase and sale of stolen digital assets. In contrast to financially motivated groups like ransomware or extortion syndicates, who often publicize their attacks, these culprits prefer discreet operations. They exploit unpatched systems or vulnerabilities in applications to infiltrate and exfiltrate valuable data. Subsequently, this stolen data is promoted for sale on underground platforms, finding its way to new owners and being repurposed in subsequent attacks by other perpetrators.

Other Observations

CYFIRMA Research team observed a potential data leak related to Vesicash Financial Technology, {www[.]vesicash[.]com}. Vesicash Financial Technology is a company that operates in the Financial Services industry. The company is headquartered in Nigeria. The data that has been compromised includes user identifiers, account IDs, account types, first names, last names, email addresses, phone numbers, usernames, passwords, and additional sensitive information, all presented in SQL format.

Source: Underground forums


  • Attack Surface Management should be adopted by organizations, ensuring that a continuous closed-loop process is created between attack surface monitoring and security testing.
  • Deploy a unified threat management strategy – including malware detection, deep learning neural networks, and anti-exploit technology – combined with vulnerability and risk mitigation processes.
  • Incorporate Digital Risk Protection (DRP) in the overall security posture that acts as a proactive defence against external threats targeting unsuspecting customers.
  • Implement a holistic security strategy that includes controls for attack surface reduction, effective patch management, active network monitoring, through next generation security solutions and ready to go incident response plan.
  • Create risk-based vulnerability management with deep knowledge about each asset. Assign a triaged risk score based on the type of vulnerability and criticality of the asset to help ensure that the most severe and dangerous vulnerabilities are dealt with first.


  • Take advantage of global Cyber Intelligence providing valuable insights on threat actor activity, detection, and mitigation techniques.
  • Proactively monitor the effectiveness of risk-based information security strategy, the security controls applied and the proper implementation of security technologies, followed by corrective actions remediations, and lessons learned.
  • Move beyond the traditional model of security awareness towards improved simulation and training exercises that mimic real attack scenarios, account for behaviours that lead to a compromised, and are measured against real attacks the organization receives.
  • Consider implementing Network Traffic Analysis (NTA) and Network Detection and Response (NDR) security systems to compensate for the shortcoming of EDR and SIEM solutions.
  • Detection processes are tested to ensure awareness of anomalous events. Timely communication of anomalies and continuously evolved to keep up with refined ransomware threats.


  • Patch software/applications as soon as updates are available. Where feasible, automated remediation should be deployed since vulnerabilities are one of the top attack vectors.
  • Consider using security automation to speed up threat detection, improve incident response, increase the visibility of security metrics, and rapid execution of security checklists.
  • Build and undertake safeguarding measures by monitoring/ blocking the IOCs and strengthen defences based on tactical intelligence provided.
  • Deploy detection technologies that are behavioural anomaly-based to detect ransomware attacks and help to take appropriate measures.
  • Implement a combination of security control such as reCAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart), Device fingerprinting, IP backlisting, Rate-limiting, and Account lockout to thwart automated brute-force attacks.
  • Ensure email and web content filtering uses real-time blocklists, reputation services, and other similar mechanisms to avoid accepting content from known and potentially malicious sources.