Weekly Intelligence Report – 25 Nov 2022

Weekly Intelligence Report – 25 Nov 2022

Weekly Intelligence Trends/Advisory

Key Intelligence Signals:

  • Attack Type: Ransomware, Vulnerabilities & Exploits, Ransomware-as-a-Service (RaaS), Malware Implants, Data Exfiltration, Data Leak, Impersonations, Remote Code Execution (RCE), On-device Fraud, Rouge Mobile Apps, Telephone-Oriented Attack Delivery (TOAD), SMiSing, Malvertising
  • Objective: Unauthorized Access, Data Theft, Financial Gains, Payload Delivery, Potential Espionage
  • Business Impact: Data Loss, Financial Loss, Reputational Damage, Loss of Intellectual Property
  • Ransomware – Royal Ransomware | Malware – Aurora
  • Royal Ransomware – One of the ransomware groups.
  • Please refer to the trending malware advisory for details on the following:
  • Malware – Aurora
  • Behavior – Most of these malwares use phishing and social engineering techniques as their initial attack vector. Apart from these techniques, exploitation of vulnerabilities, defence evasion, and persistence tactics are being observed.

Threat Actor in Focus

Mustang Panda Unleashes Fresh Spear-Phishing Attacks on Governments in APAC Region

Suspected Threat Actors: Mustang Panda

  • Attack Type: Spear-Phishing
  • Objective: Unauthorized Access, Data Theft, Lateral Movement, and Espionage
  • Target Technology: Windows, Windows Server
  • Target Geographies: Myanmar, Australia, Philippines, Japan, Taiwan
  • Target Industries: Government
  • Business Impact: Data Loss, Financial Loss

Summary:
In a recent observation, Mustang Panda was seen aggressively using spear-phishing attacks. The threat actor in their month-long cyber-attack targeted Myanmar, Australia, the Philippines, Japan, and Taiwan. The decoy documents were written in Burmese, and most of the topics in the documents were controversial issues between countries and contained words like ‘Secret’ or ‘Confidential.’ This indicates these recent attacks were on Myanmar government entities as their first entry point.

The threat actor was seen creating fake google accounts to distribute the malware through spear-phishing attacks, malware was zipped and delivered through Google Drive links. Users are then manipulated into downloading and executing. The threat actor used techniques like code obfuscation and custom exception handlers to bypass detections. The threat actor used the stolen documents as decoys to manipulate the victims working with Myanmar government offices into downloading and executing the malware.

The Mustang Panda has their loaders and PlugX along with Cobalt Strike are available in its arsenal to compromise the victims. Upon successful breach the group infiltrates into the targeted victim’s systems, the sensitive documents stolen can be abused as the entry vectors for the next wave of intrusions.

Insights:
The TONESHELL malware was the primary backdoor deployed in this campaign. The campaign is an espionage campaign with the possible intent of stealing sensitive information.

The actors used the same email address to deploy decoyed malicious documents in Google Drive and used the same email address to deliver the phishing email. Indicators of Compromise

Major Geopolitical Developments in Cybersecurity

Cyber-attack Disrupts French Department of Guadeloupe

The Caribbean Island of Guadeloupe which is a French overseas territory has been hit by a cyber-attack that disrupted government services. The authorities have shut down all its computer networks to protect data and are now working on restoring the service. So far details of the attack have not been published besides the local authorities characterizing the attack as large-scale.

Guadeloupe is the latest French region to be hit by a cyberattack in recent months. In August, a large hospital nearby Paris was hit by a ransomware attack that effectively halted its operations when the hospital refused to pay a multimillion-dollar ransom and patient data have been subsequently released by the attackers. By late September, the port city of Caen in Normandy was hit while the departments of Seine-Maritime and Seine-et-Marne were targeted in October and November respectively.

US General Warns of Cyberattacks on European Ports

Retired US General Ben Hodges, former Commander of US Army Europe has recently argued that cybersecurity is as important to NATO logistics as missile defense. In support of his thesis, he noted that five years ago the Russian NotPetya campaign against Ukraine spilled over into the transportation sector and disrupted port and shipping operations. The global leader in maritime logistics Maersk was hit especially hard by this Russian attack. The General specifically pointed out the importance of the German ports of Hamburg and Bremerhaven in NATO logistical chains. Cyber-enabled interference with port operations in these two cities would have a significant effect on the Alliance’s ability to sustain operations in Central and Eastern Europe. The Russian military has so far not been able to repeat the success of the NotPetya campaign, but the example of this campaign demonstrates the ability of determined advanced actors to cause harm in supply chains using tools not dissimilar to today’s ransomware attacks.

US Defense Department to Expand its Cyber Offensive Authority

According to media reports, the forthcoming revision to the 2018 US Department of Defense (DoD) National Security Policy Memorandum is expected to give the ministry expanded authority to conduct offensive cyber operations. The revision is said in large part to address roles and missions, with the State Department playing a consultative role. Successful US Cyber Command operations have gained the DoD a good reputation with policymakers who are, according to the reports, likely to authorize advances in the ministry’s authority to give Pentagon more flexibility in active cyber operations to be able to react faster to developments in the cyber domain.

Rise in Malware/Ransomware and Phishing

Virginia Farm Bureau Mutual Insurance Company Impacted by Royal Ransomware

  • Attack Type: Ransomware, Data Exfiltration
  • Target Industry: Diversified Financial Services
  • Target Geography: United States of America
  • Ransomware: Royal Ransomware
  • Objective: Financial Gains, Data Theft, Data Encryption
  • Business Impact: Data Loss, Reputational Damage

Summary:
From the External Threat Landscape Management (ETLM) Perspective, CYFIRMA observed Virginia Farm Bureau Mutual Insurance Company (www[.]vafb[.]com) – which was founded to protect the lives and livelihoods of Virginia’s farmers. The ransomware group leaked Virginia Farm Bureau Mutual Insurance Company data on their dedicated leak site on 17 November 2022. As per Royal Ransomware, leaked data contains Company operation documents, financial, and HR documents.

Insights:
Royal is a January 2022 operation that consists of vetted and experienced ransomware actors from previous operations. Unlike most active ransomware operations, Royal is a private group with no affiliates and does not operate as a Ransomware-as-a-Service.

When Royal ransomware first started its operation, it used the encryptors of other ransomware operations, such as BlackCat. Soon after, the cybercrime enterprise began using its own encryptors, the first of which was Zeon (Sample), which generated ransom notes that were strikingly similar to Conti’s. However, the ransomware gang has rebranded to ‘Royal’ and is using that name in ransom notes generated by a new encryptor since the middle of September 2022.

The Royal group employs targeted callback phishing attacks in which they impersonate food delivery and software providers in emails disguised as subscription renewals. These phishing emails contain phone numbers that the victim can call to cancel the alleged subscription, but it is a number to a service that the threat actors have hired to compromise victims’ systems using social engineering techniques.

Recently, researchers discovered that the DEV-0569 group is distributing various payloads, including the Royal ransomware, via Google Ads. Malvertising campaigns are carried out to spread links to a signed malware downloader disguised as software installers or fake updates embedded in spam messages, fake forum pages, and blog comments.

Royal ransomware is targeting businesses all over the world. However, 86% of victim organizations are from the United States, Canada, Malaysia, and Germany.