Self Assessment

Weekly Intelligence Report – 26 July 2024

Published On : 2024-07-25
Share :
Weekly Intelligence Report – 26 July 2024

Ransomware of the Week

CYFIRMA Research and Advisory Team would like to highlight ransomware trends and insights gathered while monitoring various forums. This includes multiple – industries, geography, and technology – which could be relevant to your organization.

Type: Ransomware
Target Technologies: MS Windows
Target Industries: Accounting, Advertising & Marketing, Aerospace, Agriculture, Airlines, Apparel Retailers, Automobiles, Banks, Basic Resources, Business Services, Chemicals, Computer Services, Construction, Defense, Delivery Services, Electronic Equipment, Energy, Farming, Fishing & Plantations, Finance, Food & Beverage, Furniture, Government, Health Care, Hospitality, Industrial Goods & Services, Law, Manufacturing, Real Estate, Recreational Services, Retail, Semiconductors, Software, Specialized Consumer Services, Telecommunications, Transportation, Trucking and Utilities.
Target Geography: Australia, Canada, Czech Republic, Finland, France, Germany, Italy, Luxembourg, Mexico, Netherlands, Norway, Poland, Slovakia, South Africa, South Korea, Spain, Sweden, Switzerland, United Kingdom, United States.

Introduction
CYFIRMA Research and Advisory Team has found a Play Ransomware in the wild while monitoring various underground forums as part of our Threat Discovery Process.

Play
Play, also known as PlayCrypt, emerged as a ransomware threat in June 2022.

The Play ransomware group is thought to function as a closed unit, aiming to guarantee transaction confidentiality, as mentioned on their data leak website. Actors linked to Play ransomware follow a double-extortion approach, encrypting systems only after extracting data. The ransom notes from the group lack initial ransom demands or payment instructions; instead, victims are prompted to contact the threat actors via email.

To gain initial access to victim networks, the Play ransomware group exploits valid accounts and vulnerabilities in public-facing applications. They specifically target known vulnerabilities in FortiOS (CVE-2018-13379 and CVE-2020-12812) and Microsoft Exchange (CVE2022-41040 and CVE-2022-41082). Threat actors also use external facing services like Remote Desktop Protocol (RDP) and Virtual Private Networks (VPN).

The group uses tools such as AdFind for Active Directory queries and Grixba to check for a list of security files and processes. Additionally, they employ tools like GMER, IOBit, and PowerTool to disable anti-virus software and erase log files. In certain instances, Play ransomware actors are observed using PowerShell scripts to target Microsoft Defender.

For lateral movement and file execution, the threat actors leverage command and control (C2) applications like Cobalt Strike and SystemBC, along with tools like PsExec. Once inside a network, they actively search for unsecured credentials and use the Mimikatz credential dumper to gain domain administrator access. To identify additional privilege escalation paths, the group uses Windows Privilege Escalation Awesome Scripts (WinPEAS) and distributes executables through Group Policy Objects.

Compromised data is segmented, compressed using tools like WinRAR, and transferred via WinSCP to actor-controlled accounts. The files undergo encryption using AES-RSA hybrid encryption, with intermittent encryption applied to every other file portion of 0x100000 bytes. Notably, system files are exempt from this encryption process. Encrypted files receive a .play extension, and a ransom note named ReadMe.txt is dropped.

In the event of a refusal to pay the ransom, the actors threaten to publish exfiltrated data on their leak site accessible through the Tor network with an [.]onion URL. Victims are instructed to contact the Play ransomware group via an email address ending in @gmx[.]de, and ransom payments are expected in cryptocurrency to wallet addresses provided by the actors.

Tools Leveraged by Play Ransomware Actors

Tool Name Description
Mimikatz Allows users to view and save authentication credentials such as Kerberos tickets. Play Threat actors have used it to add accounts to domain controllers.
WinPEAS Used to search for additional privilege escalation paths.
WinRAR Used to split compromised data into segments and to compress files into .RAR format for exfiltration.
WinSCP Windows Secure Copy is a free and open-source Secure Shell (SSH) File Transfer Protocol, File Transfer Protocol, WebDAV, Amazon S3, and secure copy protocol client. Play ransomware actors have used it to transfer data from a compromised network to actor- controlled accounts.
Microsoft Nltest Used by Play ransomware actors for network discovery.
Nekto Used by Play ransomware actors for privilege
PriviCMD escalation.
Process Hacker Used to enumerate running processes on a system.
Plink Used to establish persistent SSH tunnels.
AdFind Used to query and retrieve information from Active Directory.
GMER A software tool intended to be used for detecting and removing rootkits
IOBit An anti-malware and anti-virus program for the Microsoft Windows operating system. Play have accessed IOBit to disable anti-virus software.
PsExec A tool designed to run programs and execute commands on remote systems.
PowerTool A Windows utility designed to improve speed, remove bloatware, protect privacy, and eliminate data collection, among other things.
PowerShell A cross-platform task automation solution made up of a command-line shell, a scripting language, and a configuration management framework, which runs on Windows, Linux, and macOS.
Cobalt Strike A penetration testing tool used by security professionals to test the security of networks and systems. Play ransomware actors have used it to assist with lateral movement and file execution.

The PLAY ransomware has adopted a ransomware-as-a-service (RaaS) model recently, opening access to a broader spectrum of users, ranging from proficient hackers to less experienced cyber criminals.

Screenshot of files encrypted by Play Ransomware (source: surface web)

Fig: The ransom note of Play ransomware. (Source: Surface Web)

Recent observations:
Researchers have observed Play ransomware targeting ESXi environments for the first time in the evolving ransomware threat landscape.

Businesses commonly use ESXi environments to run multiple virtual machines (VMs). They often host critical applications and data and typically include integrated backup solutions.

Compromising these environments can significantly disrupt business operations and even encrypt backups, further reducing the victim’s capability to recover data.

The submitted sample of Play ransomware to the OSINT platforms indicates that it has successfully evaded security detections.

By the researchers analysis it is found that the Linux variant is compressed in a RAR file along with its Windows variant and is hosted at the URL, hxxp://108.[BLOCKED].190/FX300.rar.

The infection chain of the Linux variant of Play ransomware includes the use of several tools. (Source: SurfaceWeb)

The above figure illustrates the infection chain of this Play ransomware variant. The command-and-control (C&C) server hosts the common tools used in current Play ransomware attacks. This suggests that the Linux variant might utilize similar tactics, techniques, and procedures (TTPs).

Infection Routine of the Linux Variant of Play Ransomware
Similar to its Windows, the sample accepts command-line arguments, although their specific behaviours remain unknown.

Source: SurfaceWeb

The command-line arguments of the Windows and Linux variants of Play ransomware include commands for encrypting drives, files, and network shared resources.

The sample executes ESXi-related commands to verify it is operating in an ESXi environment before initiating its malicious routines. If it is not in an ESXi environment, the sample will terminate and delete itself. Once confirmed, a series of shell script commands are executed.

The following command, in particular, is responsible for scanning and powering off all VMs within the environment:

/bin/sh -c “for vmid in $(vim-cmd vmsvc/getallvms | grep -v Vmid | awk ‘{print $1}’); do vim- cmd vmsvc/power.off $vmid; done”

This command is responsible for setting a custom welcome message on the ESXi host:

/bin/sh -c “esxcli system welcomemsg set -m=\”

Upon executing the series of ESXi-related commands, the ransomware proceeds to encrypt various VM files, including VM disk, configuration, and metadata files. The VM disk file, in particular, contains crucial data such as applications and user data.

List of extensions to be encrypted (Source: SurfaceWeb)

Upon completion of the encryption process, the majority of files within the guest operating system, such as “ubuntu,” have their filenames appended with the extension “.PLAY.”

Files encrypted by the ransomware having the .PLAY extension. (Source:SurfaceWeb)

It will also place a ransom note in the root directory and display it on the ESXi client login portal.

The ransom note named PLAY_Readme.txt. (Source:SurfaceWeb)

The login portal of the affected ESXi server also displays the ransom note. (Source:SurfaceWeb)

Upon rebooting the ESXi system, the ransom note will also be displayed on the console as in below figure.

(Source:SurfaceWeb)

Uncovering the Link Between Prolific Puma and Play Ransomware

Researchers monitoring external activities linked to a suspicious IP address revealed that the URL used to host the ransomware payload and its tools is associated with another threat actor known as Prolific Puma.

Prolific Puma’s Activities
Prolific Puma is recognized for generating domain names using a random destination generator algorithm (RDGA). They offer a link-shortening service to other cybercriminals, enabling them to avoid detection while disseminating phishing schemes, scams, and malware.

Table 1: The different tools of Play ransomware resolve to several IP addresses. (Source: SurfaceWeb)

Table 2: The IP addresses hosting the Play ransomware resolves to different domains. (Source: SurfaceWeb)

Tables 1 and 2 illustrate the domains, especially DGAs, that resolve to the IP address associated with the Play ransomware toolkit. These domains are registered under various registrars. Our research shows that Prolific Puma typically uses three to four random characters in their registered domains. The domains listed in the tables match those associated with the IP address linked to Play ransomware.

Prolific Puma uses numerous registered domains. (Source: SurfaceWeb)

A shortened link generated by Prolific Puma matches the observed IP address linked to Play ransomware. (Source: SurfaceWeb)

To further confirm the connection between the two groups, researchers tested the Coroxy backdoor hosted at the same IP address. Black-box analysis revealed that the Coroxy backdoor connected to IP address 45[.]76[.]165[.]129, which also resolves to multiple domains linked to Prolific Puma.

The Coroxy backdoor employed by Play ransomware has been detected establishing a connection to the specified IP address. (Source: SurfaceWeb)

Different domains resolve to the IP address of the Coroxy backdoor connection. (Source: SurfaceWeb)

The IP address to which the Coroxy backdoor connects also resolves to various domains that match the registered domains of Prolific Puma. Upon further examination, the IP address includes “vultrusercontent.com,” aligning with the original IP. As shown in below picture.

A Shodan query of the IP address hosting Play ransomware reveals some details on its associated infrastructure. (Source: SurfaceWeb)

A comparison between the IP address hosting Play ransomware and another IP address linked to Prolific Puma reveals that both share the same autonomous system number (ASN). This indicates they are part of the same network and are managed by the same provider.

The IP address hosting the ransomware (left) and the IP address linked to Prolific Puma (right) exhibit similarities. (Source: SurfaceWeb)

Prolific Puma carefully selects its clients, preferring those deemed worthy of its services. The established reputation of the Play ransomware threat actors makes them likely candidates for Prolific Puma’s offerings. This suggests a potential collaboration between the two cybercriminal entities, with Play ransomware possibly seeking to improve its ability to bypass security measures through Prolific Puma’s services.

Countries targeted by Play Ransomware.

Following are the TTPs based on the MITRE Attack Framework.

Sr. No Tactics Techniques/Sub-Techniques
1 TA0001: Initial Access T1091: Replication Through Removable Media
T1190: Exploit Public-Facing Application
2 TA0002: Execution T1059.004: Command and Scripting Interpreter: Unix Shell
T1129: Shared Modules
3 TA0003: Persistence T1574.002: Hijack Execution Flow: DLL Side-Loading
4 TA0004: Privilege Escalation T1055: Process Injection
T1574.002: Hijack Execution Flow: DLL Side- Loading
5 TA0005: Defense Evasion T1027: Obfuscated Files or Information
T1027.005: Obfuscated Files or Information: Indicator Removal from Tools
T1055: Process Injection
T1070.004: Indicator Removal: File Deletion
T1497: Virtualization/Sandbox Evasion
T1574.002: Hijack Execution Flow: DLL Side- Loading
6 TA0006: Credential Access T1003: OS Credential Dumping
T1056: Input Capture
7 TA0007: Discovery T1046: Network Service Discovery
T1057: Process Discovery
T1082: System Information Discovery
T1083: File and Directory Discovery
T1120: Peripheral Device Discovery
T1497: Virtualization/Sandbox Evasion
T1518.001: Software Discovery: Security Software Discovery
8 TA0008: Lateral Movement T1091: Replication Through Removable Media
T1570: Lateral Tool Transfer
9 TA0009: Collection T1005: Data from Local System
T1056: Input Capture
10 TA0011: Command and Control T1568.002: Dynamic Resolution: Domain Generation Algorithms
T1105: Ingress Tool Transfer
11 TA0040: Impact T1486: Data Encrypted for Impact
T1489: Service Stop
T1491.001: Defacement: Internal Defacement

Relevancy and Insights:

  • The ransomware specifically focuses on the extensively used Windows Operating System, which is widespread across a multitude of industries and organizations.
  • The Ransomware places itself in “HKEY_LOCAL_MACHINE\ SOFTWARE \Microsoft\Windows NT\CurrentVersion\Image File Execution Options\” to manipulate the execution behaviour of the image. This registry key allows the ransomware to achieve persistence, silently execute alongside or instead of legitimate image, and maintain control over compromised systems, evading detection.
  • The ransomware deletes Windows Error Reporting Internal Metadata, disrupting the system’s ability to offer detailed error information. Deleting it helps the ransomware hide its presence, making it harder to be detected.
  • Detect-debug-environment: The ransomware has mechanisms to detect whether it is running in a debugging or analysis environment. It’s a defensive measure to avoid detection and analysis.
  • The ransomware exhibits long sleep behavior in its execution to evade detection by security tools that flag rapid or suspicious activities. Additionally, it checks user input, analyzing actions or keyboard entries, these are the tactics to avoid detection in sandbox environments.

ETLM Assessment:
Based on available information, CYFIRMA’s assessment suggests that Play ransomware is set to become more aggressive, by targeting industries such as Finance, manufacturing, IT, and telecommunications sectors. Recent attacks show a strategic focus on industries with high-value data and critical operations, increasing the risk for Financial Institutions, Manufacturing, IT firms, and Telecom providers.

Additionally, Play ransomware is likely to expand its geographical reach, targeting previously overlooked regions such as East Asia, South East Asia etc. This is driven by the group’s evolving tactics, making it a significant threat globally. As Play ransomware continues to adapt, organizations worldwide must enhance their cybersecurity defenses to counter this growing and sophisticated threat.

Yara Rule
rule win_play_auto { strings:
$sequence_0 = { 0fb78d82feffff 2bc8 899570ffffff 014d84 }
// n = 4, score = 100
// 0fb78d82feffff | movzx ecx, word ptr [ebp – 0x17e]
// 2bc8 | sub ecx, eax
// 899570ffffff | mov dword ptr [ebp – 0x90], edx
// 014d84 | add dword ptr [ebp – 0x7c], ecx

$sequence_1 = { 02c1 c645c5ae 8845c3 b937030000 888556ffffff 8a45c7 c6852fffffff00 }
// n = 7, score = 100
// 02c1 | add al, cl
// c645c5ae | mov byte ptr [ebp – 0x3b], 0xae
// 8845c3 | mov byte ptr [ebp – 0x3d], al
// b937030000 | mov ecx, 0x337
// 888556ffffff | mov byte ptr [ebp – 0xaa], al
// 8a45c7 | mov al, byte ptr [ebp – 0x39]
// c6852fffffff00 | mov byte ptr [ebp – 0xd1], 0

$sequence_2 = { 8bd8 899d88fdffff 85db 0f8483040000 8a0b 80f9e9 7409 }
// n = 7, score = 100
// 8bd8 | mov ebx, eax
// 899d88fdffff | mov dword ptr [ebp – 0x278], ebx
// 85db | test ebx, ebx
// 0f8483040000 | je 0x489
// 8a0b | mov cl, byte ptr [ebx]
// 80f9e9 | cmp cl, 0xe9
// 7409 | je 0xb

$sequence_3 = { c83dad3c d92b e00c 9c 0d05f0657b 4e f30f7e05???????? }
// n = 7, score = 100
// c83dad3c | enter -0x52c3, 0x3c
// d92b | fldcw word ptr [ebx]
// e00c | loopne 0xe
// 9c | pushfd
// 0d05f0657b | or eax, 0x7b65f005
// 4e | dec esi
// f30f7e05???????? |

$sequence_4 = { 7f06 81c4ab000000 83c410 e8???????? 66f1 }
// n = 5, score = 100
// 7f06 | jg 8
// 81c4ab000000 | add esp, 0xab
// 83c410 | add esp, 0x10
// e8???????? |
// 66f1 | int1

$sequence_5 = { a1???????? 8945bc a1???????? 0f11855cffffff 894594 f30f7e05???????? 8b45f8 }
// n = 7, score = 100
// a1???????? |
// 8945bc | mov dword ptr [ebp – 0x44], eax
// a1???????? |
// 0f11855cffffff | movups xmmword ptr [ebp – 0xa4], xmm0
// 894594 | mov dword ptr [ebp – 0x6c], eax
// f30f7e05???????? |
// 8b45f8 | mov eax, dword ptr [ebp – 8]

$sequence_6 = { 91 ae 54 ce 3106 f77cf30f 7e05 }
// n = 7, score = 100
// 91 | xchg eax, ecx
// ae | scasb al, byte ptr es:[edi]
// 54 | push esp
// ce | into
// 3106 | xor dword ptr [esi], eax
// f77cf30f | idiv dword ptr [ebx + esi*8 + 0xf]
// 7e05 | jle 7

$sequence_7 = { 8955f4 8b460c 83ec08 8d0488 8945f8 8d45f4 }
// n = 6, score = 100
// 8955f4 | mov dword ptr [ebp – 0xc], edx
// 8b460c | mov eax, dword ptr [esi + 0xc]
// 83ec08 | sub esp, 8
// 8d0488 | lea eax, [eax + ecx*4]
// 8945f8 | mov dword ptr [ebp – 8], eax
// 8d45f4 | lea eax, [ebp – 0xc]

$sequence_8 = { 898d48fdffff 66898562fdffff 668985e6fcffff 66398d30fdffff 7634 66ff857cfcffff 8d0432 }
// n = 7, score = 100
// 898d48fdffff | mov dword ptr [ebp – 0x2b8], ecx
// 66898562fdffff | mov word ptr [ebp – 0x29e], ax
// 668985e6fcffff | mov word ptr [ebp – 0x31a], ax
// 66398d30fdffff | cmp word ptr [ebp – 0x2d0], cx
// 7634 | jbe 0x36
// 66ff857cfcffff | inc word ptr [ebp – 0x384]
// 8d0432 | lea eax, [edx + esi]

$sequence_9 = { 88852effffff 8b8548ffffff fec8 8855ad 88854dffffff 8d45e8 6689bd0cfeffff }
// n = 7, score = 100
// 88852effffff
// 8b8548ffffff
// fec8
// 8855ad
// 88854dffffff | mov
| mov
| dec
| mov
| mov

al byte ptr [ebp – 0xd2], al eax, dword ptr [ebp – 0xb8]
byte ptr [ebp – 0x53], dl byte ptr [ebp – 0xb3], al
// 8d45e8 | lea eax, [ebp – 0x18]
// 6689bd0cfeffff | mov word ptr [ebp – 0x1f4], di

condition:
7 of them and filesize < 389120
}

(Source: Surface web)

STRATEGIC RECOMMENDATIONS

  • Implement competent security protocols and encryption, authentication, or access credentials configurations to access critical systems in your cloud and local environments.
  • Ensure that backups of critical systems are maintained which can be used to restore data in case a need arises.

MANAGEMENT RECOMMENDATIONS

  • A data breach prevention plan must be developed considering, (a) the type of data being managed by the company; (b) the remediation process; (c) where and how the data is stored; (d) if there is an obligation to notify the local authority.
  • Enable zero-trust architecture and multifactor authentication (MFA) to mitigate the compromise of credentials.
  • Foster a culture of cybersecurity, where you encourage and invest in employee training so that security is an integral part of your organization.

TACTICAL RECOMMENDATIONS

  • Build and undertake safeguarding measures by monitoring/ blocking the IOCs and strengthening defence based on the tactical intelligence provided.
  • Update all applications/software regularly with the latest versions and security patches alike.
  • Add the Yara rules for threat detection and monitoring which will help to detect anomalies in log events and identify and monitor suspicious activities.

Trending Malware of the Week

Type: Information Stealer
Objective: Stealing sensitive information, Data exfiltration
Threat Actor: Void Banshee
Target Technologies: Windows OS, Browsers, Discord, Telegram, Steam, Crypto wallets, FileZilla
Target Geographies: North America, Europe, and Southeast Asia Exploited Vulnerability: CVE-2024-38112

Active Malware of the Week
This week “Atlantida” is trending

Summary
Void Banshee, an advanced persistent threat (APT) group, is exploiting a recently disclosed zero-day vulnerability CVE-2024-38112 (ZDI-CAN-24433) in the Microsoft MHTML browser engine to deploy an information stealer known as Atlantida. This zero-day vulnerability allows file access and execution via the disabled Internet Explorer using MSHTML. Void Banshee uses this exploit to infect machines with the Atlantida info-stealer, which targets system information and sensitive data like passwords and cookies from various applications. They lure victims with malicious zip archives disguised as book PDFs, distributed through cloud-sharing websites, Discord servers, and online libraries. Their attacks are primarily focused on North America, Europe, and Southeast Asia regions for information theft and financial gain.

Atlantida
Atlantida Stealer is an info-stealer malware with extensive capabilities, built from the open- source stealers NecroStealer and PredatorTheStealer. It targets sensitive information from various applications, including Telegram, Steam, FileZilla, various cryptocurrency wallets, and web browsers. This malware focuses on extracting stored sensitive and potentially valuable data, such as passwords and cookies, and can also collect files with specific extensions from the infected system’s desktop. Additionally, the malware captures the victim’s screen and gathers comprehensive system information. The stolen data is then compressed into a ZIP file and transmitted to the attacker via TCP.

Attack Method
The threat actor exploited CVE-2024-38112 to run malicious code by exploiting the MHTML protocol handler and x-usc directives within internet shortcut (URL) files. This method enabled them to access and execute files directly via the disabled Internet Explorer on Windows machines. The MHTML code execution vulnerability was utilized to infect users and organizations with Atlantida malware.

Internet Explorer used as an attack vector
Internet Explorer (IE) officially ended support on June 15, 2022, and has been disabled in later versions of Windows 10 and all versions of Windows 11. However, IE remnants still exist on modern Windows systems, though they are inaccessible to average users.

Attempting to open IE (iexplore.exe) instead launches Microsoft Edge. For those needing IE-specific functionality, Microsoft provides IE mode in Edge, operating within Edge’s sandbox for enhanced security. In this campaign, researchers discovered samples exploiting CVE-2024-38112. These samples could run files and websites through the disabled IE process by exploiting MSHTML. Using specially crafted .URL files containing the MHTML protocol handler and the x-usc directive, the APT group Void Banshee accessed and executed HTML Application (HTA) files through the disabled IE process.

Fig: Attack chain of the CVE-2024-38112 zero-day campaign (Source: Surface web)

Technical Analysis
Void Banshee used zip archives containing copies of book PDFs and malicious files disguised as PDFs in spearphishing links on online libraries, cloud-sharing sites, Discord, and compromised websites. Their PDF lures included textbooks and reference materials like “Clinical Anatomy,” indicating a focus on targeting highly skilled professionals and students. To exploit CVE-2024-38112, Void Banshee changed the default icon of an internet shortcut file to resemble a PDF, enticing victims to execute it.

Stage 1: Malicious internet shortcut (URL) file
The zero-day attack starts when the victim opens a URL shortcut file designed to exploit CVE-2024-38112. Researchers found a sample named “Books_A0UJKO.pdf.url,” which appears as a PDF book copy. The URL shortcut leverages the MHTML protocol handler and the x-usc! directive via the URL parameter. This exploit is similar to CVE-2021-40444, demonstrating the ongoing misuse of Windows protocol handlers. In this attack, CVE-2024- 38112 redirects victims by using the system-disabled IE to open a compromised website hosting a malicious HTML Application (HTA). Void Banshee crafted the URL string to open the target in Internet Explorer through the iexplore.exe process.

Stage 2: HTML file downloader
The internet shortcut file exploiting CVE-2024-38112 directs to an attacker-controlled domain where an HTML file initiates the HTA stage of the infection chain. This HTML file is crafted to control the window size of Internet Explorer, conceal browser information, and mask the download of the next infection stage. Void Banshee designed the HTML file to manipulate IE’s window size, making it less noticeable. When the URL is accessed via IE, it prompts the user to open or save the HTML application. This behavior is specific to IE, as HTA files are opened by default, unlike modern browsers. The attacker disguises the malicious HTA file by adding 26 spaces to its extension in “Books_A0UJKO.pdf.hta,” making it appear as a PDF file to the user.

Stage 3: HTA file and VBS downloader
The HTA file includes a Visual Basic Script (VBScript) that decrypts XOR-encrypted content with key 4 and then executes it via PowerShell. The script downloads an additional script from a compromised server using PowerShell commands (`irm` for Invoke- RestMethod and `iex` for Invoke-Expression) and creates a new process for this script using the Win32_Process WMI class.

Stage 4: PowerShell trojan downloader
The script first imports two functions: `GetConsoleWindow` from kernel32.dll to retrieve the console window handle and `ShowWindow` from user32.dll to set the window’s visibility. It uses the `Add-Type` cmdlet to define a type in the current PowerShell session. The script then retrieves and hides the console window using `GetConsoleWindow` and `ShowWindow` with a parameter of 0. This is a common technique for malware to operate without displaying a user interface. Next, the script creates a `System.Net.WebClient` object to download data from a malicious server. This data is loaded as a .NET assembly using `System.Reflection.Assembly.Load`, and the script executes the assembly’s entry point, running the code it contains.

Stage 5: .NET trojan loader
LoadToBadXml is a .NET Trojan loader obfuscated with Eziriz .NET Reactor. It decrypts XOR-encrypted payloads using a byte array key (3, 2, 2) and injects them into `C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe` using a common process injection technique. The process involves:

  • Create Process: Launching `RegAsm.exe` in a suspended state via the CreateProcess API.
  • Memory Allocation: Allocating memory within `RegAsm.exe` using the VirtualAllocEx API.
  • Write Payload: Writing the decrypted payload into the allocated memory with the WriteProcessMemory API.
  • Execute Payload: Creating a remote thread in `RegAsm.exe` to execute the payload using the CreateRemoteThread API.

LoadToBadXml is a modified version of the shellcode injector from the Donut Loader open- source project.

Stage 6: Donut loader
Donut is an open-source, position-independent code that allows in-memory execution of VBScript, JScript, EXE, DLL files, and .NET assemblies. In this attack, Donut is used to decrypt and execute the Atlantida stealer within the memory of the `RegAsm.exe` process.

Stage 7: Atlantida stealer analysis
Upon execution, the malware initializes a ZIP file and sets up structures for writing files. It retrieves the “APPDATA” and “DESKTOP” paths using the SHGetFolderPathA API and stores them in a global variable. The malware takes a screenshot, saves it as “screenshot.jpeg,” and adds it to the ZIP archive.

To gather geolocation information, such as IP address, country, and zip code, it contacts its command-and-control (C&C) server over port 6666, storing this data in “Geo Information.txt” and appending it to the ZIP. It also collects system information like RAM, GPU, CPU, and screen resolution, saving it in “User Information.txt” and appending it to the ZIP archive.

The malware extracts credentials and sensitive files from various applications:

  • FileZilla: Extracts data from `recentservers.xml`.
  • Desktop: Collects `.txt` files from the desktop directory.
  • Binance: Retrieves JSON files from `C:\Users\Username\AppData\Roaming\Binance`.
  • Telegram: Gathers data from `C:\Users\Username\AppData\Roaming\Telegram Desktop`.
  • Steam: Extracts configuration files.
  • Web Browsers: Harvests cookies and credentials from Google Chrome, Mozilla Firefox, and Microsoft Edge.
  • Cryptocurrency Extensions: Steals data from Google Chrome and Microsoft Edge extensions using extension IDs. This is the extension path:
  • C:\Users\<YOUR_USERNAME>\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\< Extension ID >.

Finally, the malware compresses all collected data into a ZIP file and exfiltrates it to the attacker’s C&C server over TCP port 6655.

Fig: Example of Atlantida stealer’s collected data

INSIGHTS

  • In this campaign, researchers observed that even though Internet Explorer is no longer accessible to users, threat actors can still exploit residual components of IE within Windows systems. This capability allows them to infect users and organizations with ransomware, backdoors, and other malware. The ability of APT groups like Void Banshee to leverage these disabled services underscores a significant security risk for organizations worldwide. This situation emphasizes the necessity for comprehensive security measures that address all system components, including those that are ostensibly inactive.
  • The exploitation method observed in this campaign bears resemblance to the CVE- 2021-40444 vulnerability, another MSHTML flaw used in zero-day attacks. The current approach, which utilizes the disabled Internet Explorer (IE) process as a proxy for accessing sites and executing scripts, is particularly concerning. Historically, IE has been a significant attack surface, and its lack of updates or security fixes now amplifies its risk. The recent July 2024 Patch Tuesday addressed this issue by patching the vulnerability and unregistering the MHTML handler from IE.
  • The Atlantida Stealer malware exemplifies the increasingly sophisticated nature of cyber threats. It employs advanced techniques to target and extract sensitive information from a wide range of applications and systems. Specifically designed to pilfer valuable data such as passwords, cookies, and other critical files, Atlantida Stealer focuses on both personal and financial information. This highlights the evolving threat landscape and underscores the importance of implementing comprehensive security measures to safeguard against such advanced and targeted attacks.

ETLM ASSESSMENT
From the ETLM perspective, CYFIRMA anticipates that as cyber threats continue to advance, the exploitation of legacy systems and outdated software, like Internet Explorer, will likely become more prevalent. This trend highlights a growing need for organizations to maintain comprehensive and up-to-date security measures that address not only current but also deprecated technologies. The successful use of CVE-2024-38112 and similar vulnerabilities in sophisticated attacks underscores the potential for increased targeting of such weaknesses in the future. Organizations can expect more targeted phishing campaigns and data breaches as attackers refine their tactics to exploit overlooked system components. To mitigate these risks, businesses must prioritize regular system updates, continuous vulnerability assessments, and robust employee training programs. Additionally, as attackers become more adept at using old technology as attack vectors, organizations will need to adopt a proactive approach to cybersecurity, ensuring that all potential entry points are secured against evolving threats.

IOCs:
Kindly refer to the IOCs Section to exercise controls on your security systems.

STRATEGIC RECOMMENDATIONS

  • Incorporate Digital Risk Protection (DRP) as part of the overall security posture to proactively defend against impersonations and phishing attacks.
  • Block exploit-like behaviour. Monitor endpoints memory to find behavioural patterns that are typically exploited, including unusual process handle requests. These patterns are features of most exploits, whether known or new. This will be able to provide effective protection against zero-day/critical exploits and more, by identifying such patterns.
  • Configure organization’s intrusion detection systems (IDS), intrusion prevention systems (IPS), or any network defence mechanisms in place to alert on — and upon review, consider blocking connection attempts to and from — the external IP addresses and domains listed in the appendix.

MANAGEMENT RECOMMENDATIONS

  • Provide your staff with basic cybersecurity hygiene training since many targeted attacks start with phishing or other social engineering techniques.
  • Enable security monitoring, security incident detection, notification, and alerting by leveraging SIEM solutions.
  • Move beyond the traditional model of security awareness towards Improved Simulation and training exercises that mimic real attack scenarios, account for behaviors that lead to a compromise, and are measured against real attacks the organization receives.

TACTICAL RECOMMENDATIONS

  • Build and undertake safeguarding measures by monitoring/ blocking the IOCs and strengthening defence based on the tactical intelligence provided.
  • Exert caution when opening email attachments or clicking on embedded links supplied via email communications.
  • Exercise VAPT (Vulnerability Assessment and Penetration Testing) assessments on the website to identify and fix security weaknesses & loopholes.

Weekly Intelligence Trends/Advisory

1. Weekly Attack Type and Trends

Key Intelligence Signals:

  • Attack Type: Malware Implant, Spear-phishing, Ransomware Attacks, Vulnerabilities & Exploits, Data Leaks.
  • Objective: Unauthorized Access, Data Theft, Data Encryption, Financial Gains, Espionage.
  • Business Impact: Data Loss, Financial Loss, Reputational Damage, Loss of Intellectual Property, Operational Disruption.
  • Ransomware – Hunters International Ransomware, RansomHub Ransomware | Malware – Atlantida
  • Hunters International Ransomware – One of the ransomware groups.
  • RansomHub Ransomware – One of the ransomware groups.
  • Please refer to the trending malware advisory for details on the following:
  • Malware – Atlantida
  • Behaviour –Most of these malwares use phishing and social engineering techniques as their initial attack vectors. Apart from these techniques, exploitation of vulnerabilities, defense evasion, and persistence tactics are being observed.

2. Threat Actor in Focus

APT41: The Persistent Threat Behind Prolonged Cyber Espionage and Data Exfiltration

  • Threat Actors: APT41
  • Attack Type: Malicious Web Shells
  • Objective: Espionage
  • Target Technology: Windows`
  • Target Geographies: Italy, Spain, Taiwan, Thailand, Turkey, and the U.K
  • Target Industries: Shipping and Logistics, Media and Entertainment, Technology, and Automotive Sectors
  • Business Impact: Data Loss, Data exfiltration

Summary:
APT41, an advanced persistent threat group with ties to Chinese state-sponsored espionage, has been actively conducting a prolonged and sophisticated cyber campaign targeting multiple industries across various regions. Known for their unique approach of utilizing non-public malware for both espionage and personal gain, APT41 has compromised organizations in the global shipping and logistics, media and entertainment, technology, and automotive sectors. The majority of these targeted entities are based in Italy, Spain, Taiwan, Thailand, Turkey, and the United Kingdom, reflecting the group’s broad geographical reach.

The initial phase of APT41’s attack involved deploying ANTSWORD and BLUEBEAM web shells to infiltrate systems and deliver the DUSTPAN dropper. This dropper executed the BEACON backdoor, establishing command-and-control communication with APT41’s infrastructure. This foothold allowed them to gain initial access and begin their operations. As they deepened their intrusion, APT41 escalated their tactics by deploying the DUSTTRAP dropper, which decrypted and executed malicious payloads in memory, leaving minimal forensic traces. They also engaged in hands-on keyboard activity, demonstrating their capability for direct and active manipulation of compromised systems.

To further their objectives, APT41 employed publicly available tools such as SQLULDR2 to extract data from databases and PINEGROVE to exfiltrate this data to Microsoft OneDrive. These tools enabled them to systematically export large volumes of sensitive information from the compromised networks, maintaining their presence and ensuring continuous data extraction.

APT41 has been infiltrating and maintaining unauthorized access to numerous networks since 2023, primarily for data extraction and espionage. Their activities highlight the significant resources and capabilities they possess, aiming to gather sensitive information over an extended period.

Relevancy & Insights:
APT41, also known as Double Dragon, is a Chinese state-sponsored espionage group known for its dual nature of conducting both state-sponsored espionage and financially motivated operations. Historically, APT41 has specialized in sophisticated software supply-chain attacks, compromising software development environments to inject malicious code and distribute it through normal software channels. They have also exploited vulnerabilities like the Log4j flaw to infiltrate U.S. state government networks. In the current incident, APT41 utilized ANTSWORD and BLUEBEAM web shells to deploy the DUSTPAN backdoor, leading to the execution of BEACON for command and control. They further leveraged DUSTTRAP for hands-on keyboard activity and PINEGROVE to exfiltrate sensitive data to OneDrive, also using SQLULDR to extract data from Oracle databases. APT41’s operations aim at both espionage and financial gains, frequently targeting sectors such as healthcare, high-tech, media, pharmaceuticals, and video games, across countries like the United States, the United Kingdom, and Japan. Their dual motives and extensive target range highlight the group’s persistent and growing threat to global cybersecurity.

ETLM Assessment:
APT41, also known as Double Dragon, Barium, Winnti, Wicked Panda, Wicked Spider, Bronze Atlas, and Red Kelpie, is a prolific Chinese state-sponsored espionage group active since 2012, uniquely combining state-sponsored espionage with financially motivated activities. They typically target countries such as Italy, Spain, Taiwan, Thailand, Turkey, and the United Kingdom, focusing on industries like global shipping and logistics, media and entertainment, technology, and automotive. APT41 exploits vulnerabilities in Internet-facing web applications, including SQL injection and directory traversal vulnerabilities, and notable zero-day vulnerabilities like those in USAHerds and Log4j. They have used malware such as ANTSWORD and BLUEBEAM web shells to execute DUSTPAN and BEACON backdoor for command-and-control communication, DUSTTRAP for hands-on keyboard activity, PINEGROVE for data exfiltration to OneDrive, and SQLULDR2 for exporting data from Oracle databases.

APT41’s operations are dual in nature, focusing on both espionage and financial gains, particularly within the video game industry. They quickly adapt to detections, often recompiling malware within hours. Given their ability to exploit new vulnerabilities rapidly and adapt their tactics, APT41 is expected to remain a significant threat, potentially connecting attacks across critical infrastructures to cause widespread disruption and economic impacts. Organizations in targeted sectors and countries should maintain vigilant and robust security measures to detect and respond to these evolving threats.

Recommendations:

  • Perform frequent security audits and vulnerability assessments to identify and mitigate potential security gaps. Engage in penetration testing to simulate attacks and evaluate the effectiveness of security measures.
  • Use advanced endpoint protection solutions to detect and prevent the execution of malicious software such as DUSTPAN and BEACON. Ensure that antivirus and anti- malware solutions are updated regularly.
  • Perform frequent security audits and vulnerability assessments to identify and mitigate potential security gaps. Engage in penetration testing to simulate attacks and evaluate the effectiveness of security measures.
  • Employ network monitoring tools to analyze traffic for unusual patterns indicative of data exfiltration or unauthorized access. Set up alerts for anomalous activities, such as large data transfers to external locations like OneDrive.

IOCs:
Kindly refer to the IOCs (Indicators of Compromise) Section to exercise controls on your security systems.

3. Major Geopolitical Developments in Cybersecurity

Russia threatens the Olympic games
In the wake of the French government’s discussion to potentially send military trainers and even before the recent decision on the provision of Mirage 2000-5 jet fighters to Ukraine, France’s Ministry of Defense has recently warned of possible sabotage attacks by Russia on French military sites this year. Our analysts agree, moreover, we posit that during the Paris Olympics, Russia is likely to target civilian targets in France as well, in order to embarrass the government for President Macron’s repeated comments, in which he suggested NATO could deploy NATO troops in Ukraine. There has been a real stepping up of Russian activity in the intelligence and shadow sphere, intensifying Russian political war on NATO, as the freshly inaugurated president Putin reshuffles his government to include more macroeconomists, who will be needed for the long war Russia clearly intends to fight in the coming years.

As past Russian threats trying to prevent Europe from providing Ukraine with military aid were revealed as bluffs, the Western risk appetite grew. But circumstances change and since we are moving into an even more tense period than before, we should expect Russia to try to strike back in a covert way and to attack the confidence of the Western public.

ETLM Assessment:
Since events like the Olympic Games are at once bid by the host nation to accrue soft power and the focus of global attention, any embarrassing scandals, technical glitches, or unexpected blunders will be magnified as much by the legitimate media as Russian bots and trolls. In the current circumstances, with President Macron taking a hawkish stance on Russia and with Russian athletes banned from the Games, unless they can prove their opposition to the war (so far, only eight have), Moscow has plenty of incentives to attack the games. Hackers linked to the Russian intelligence services disrupted the opening ceremony of the 2018 Winter Olympics in South Korea, using a cyber-attack to shut down a significant portion of the digital infrastructure being used to hold and broadcast the event and French officials are bracing for more such cyber-attacks this year. At a minimum, Russia is preparing to target the Paris Olympics with information campaigns – or rather, these operations have already started.

Russian hackers disrupted heating services in Ukraine
Researchers have published a report on a new strain of ICS malware that disrupted a district energy company in Lviv, Ukraine this winter, resulting in a two-day loss of heating to 600 apartment buildings during sub-zero temperatures. According to researchers, the malware gained access to the ICS systems through an unknown vulnerability in an externally facing Mikrotik router. The adversaries did not attempt to destroy the controllers, instead they caused the controllers to report inaccurate measurements, resulting in the incorrect operation of the system and the loss of heating to customers. In this detail, the attack was similar to the famous US–Israeli hack of an Iranian nuclear facility in Natanz, using the Stuxnet malware.

ETLM Assessment:
Russia continues to use its mass in the Donbas and is making gradual and potentially important gains that could threaten important roads that help Ukraine resupply forces across the front. Nevertheless, the chance of a major Russian breakthrough appears increasingly slim. Russia’s war on Ukraine’s energy infrastructure, however, is causing havoc, with Ukraine reportedly losing half of its power generation, leading to some rolling black outs. This campaign is part of the Russian effort to bring Ukraine to submission by depriving its citizens of basic services.

4. Rise in Malware/Ransomware and Phishing

The Hunters International Ransomware impacts the HOYA Corporation

  • Attack Type: Ransomware
  • Target Industry: Manufacturing
  • Target Geography: Japan
  • Ransomware: Hunters International Ransomware
  • Objective: Data Theft, Data Encryption, Financial Gains
  • Business Impact: Financial Loss, Data Loss, Reputational Damage

Summary:
From the External Threat Landscape Management (ETLM) Perspective, CYFIRMA observed in an underground forum that a company from Japan; (www[.]hoya[.]com), was compromised by the Hunters International Ransomware. HOYA Corporation is a Japanese multinational company that has been a leader in optical technology. HOYA is a major player in the eyeglass lens market, with advanced technologies aimed at providing superior vision correction solutions. Their products are distributed globally across 52 countries. The company initially specialized in optical glass but has since expanded into a diverse array of fields, including healthcare, information technology, and other high-tech areas. The breached data includes sensitive and confidential organizational information. The total size of the breached data is 2 TB.

The following screenshot was observed published on the dark web:

Source: Dark Web

Relevancy & Insights:

  • Hunters International is a Ransomware that targets Windows and Linux environments which add .LOCKED extension to the encrypted files on the victim machine once the data exfiltration gets completed by the Ransomware group.
  • Recent updates about the Hunters International ransomware group reveal significant developments since its emergence in late 2023. Notably, Hunters International is strongly linked to the infamous Hive ransomware, utilizing similar source code and infrastructure. After Hive’s operations were disrupted by an international law enforcement action in January 2023, Hunters International emerged, reportedly acquiring Hive’s source code and infrastructure rather than being a direct rebrand of Hive.
  • The Hunters International Ransomware group primarily targets countries such as the United States of America, Taiwan, Italy, Belgium, and Ireland.
  • The Hunters International Ransomware group primarily targets industries, including Industrial Machinery, Heavy Construction, Health Care Providers, Electronic Equipment, and Business Support Services.
  • Based on the Hunters International Ransomware victims list from 1 24 July 2024, the top 5 Target Countries are as follows:
  • The Top 10 Industries, most affected by Hunters International Ransomware from 1 Jan 2023 to 24 July 2024 are as follows:

ETLM Assessment:
Based on the available information, CYFIRMA’s assessment indicates that Hunters International Ransomware will continue to target various industries globally, with a significant emphasis on the United States, European, and Asian regions. The recent incident involving an attack on HOYA Corporation, a prominent Manufacturing company in Japan, underscores the extensive threat posed by this ransomware strain in the Asia Pacific region.

The RansomHub Ransomware impacts GarudaFood

  • Attack Type: Ransomware
  • Target Industry: Food & Beverage
  • Target Geography: Indonesia
  • Ransomware: RansomHub Ransomware
  • Objective: Data Theft, Data Encryption, Financial Gains
  • Business Impact: Financial Loss, Data Loss, Reputational Damage

Summary:
From the External Threat Landscape Management (ETLM) Perspective, CYFIRMA observed in an underground forum that a company from Indonesia; (www[.]garudafood[.]com), was compromised by the RansomHub Ransomware. Garudafood is one of Indonesia’s leading food and beverage companies, which produces and sells a wide range of food and beverage products under several brand names, including Garuda, Gery, Chocolatos, Clevo, Prochiz, Okky, and Mountea. Their products range from biscuits, peanuts, pilus, and pellet snacks to confectionery, milk beverages, chocolate powder, cheese, and salad dressings. The data, which has been breached, has not yet appeared on the leak site, indicating that negotiations between the affected party and the ransomware group may be underway. The compromised data includes confidential and sensitive information belonging to the organization. The total size of the compromised data is approximately 10 GB.

The following screenshot was observed published on the dark web:

Source: Dark Web

Relevancy & Insights:

  • RansomHub is believed to have evolved from the now-defunct Knight ransomware. Both ransomware families share substantial code similarities, including being written in the Go programming language and using identical command execution methods.
  • RansomHub has recently been reported to target VMware ESXi environments using a newly developed Linux encryptor. This encryptor is capable of shutting down virtual machines and removing snapshots before encryption. It employs advanced encryption methods, such as ChaCha20 and Curve25519, to secure the compromised data.
  • The RansomHub Ransomware group primarily targets countries such as Brazil, the United States of America, the United Kingdom, Italy, Brazil, and Spain.
  • The RansomHub Ransomware group primarily targets industries such as Computer Services, Government Agencies, Telecommunications, Financial Services, and Business Support Services.
  • Based on the RansomHub Ransomware victims list from 1 Jan 2023 to 24 July 2024, the top 5 Target Countries are as follows:
  • The Top 10 Industries, most affected by the RansomHub Ransomware from 1st Jan 2023 to 24 July 2024 are as follows:

ETLM Assessment:
Based on recent assessments by CYFIRMA, RansomHub ransomware is expected to intensify its operations across various industries worldwide, with a notable focus on regions in the United States, Europe, and Asia. This prediction is reinforced by the recent attack on GarudaFood, a leading Food & Beverage firm in Indonesia, highlighting RansomHub’s significant threat presence in Southeast Asia.

5. Vulnerabilities and Exploits

Vulnerability in Sylius

  • Attack Type: Vulnerabilities & Exploits
  • Target Technology: E-Commerce systems
  • Vulnerability: CVE-2024-40633 (CVSS Base Score 5.3)
  • Vulnerability Type: Information Exposure
  • Patch: Available

Summary:
The vulnerability allows a remote attacker to gain access to potentially sensitive information.

Relevancy & Insights:
The vulnerability exists due to excessive data output by the application in the /api/v2/shop/adjustments/{id} endpoint.

Impact:
A remote attacker can enumerate valid adjustment IDs and retrieve order tokens.

Affected Products:
https[:]//github[.]com/Sylius/Sylius/security/advisories/GHSA-55rf-8q29- 4g43

Recommendations:
Monitoring and Detection: Implement monitoring and detection mechanisms to identify unusual system behavior that might indicate an attempted exploitation of this vulnerability.

TOP 5 AFFECTED PRODUCTS OF THE WEEK
This week, CYFIRMA researchers have observed significant impacts on various technologies, due to a range of vulnerabilities. The following are the top 5 most affected technologies.

ETLM Assessment:
Vulnerability in Sylius can pose significant threats to user privacy and security. This can impact various industries globally, including technology, finance, healthcare, and beyond. Ensuring the security of Sylius is crucial for maintaining the integrity and protection of users’ data worldwide. Therefore, addressing these vulnerabilities is essential to safeguarding eCommerce activities and custom solutions for mid-market and enterprise brands across different geographic regions and sectors.

6. Latest Cyber-Attacks, Incidents, and Breaches

Arcus Media Ransomware attacked and Published data of the Doodle Technologies

  • Threat Actors: Arcus Media Ransomware
  • Attack Type: Ransomware
  • Objective: Data Leak, Financial Gains
  • Target Technology: Web Application
  • Target Geographies: United Arab Emirates
  • Target Industry: Information technology
  • Business Impact: Operational Disruption, Data Loss, Financial Loss, Potential Reputational Damage

Summary:
Recently we observed that Arcus Media Ransomware attacked and published data of the Doodle Technologies (www[.]doodletech[.]ae) on its dark web website. Doodle Technologies, based in the UAE, is an IT support and services company. They offer a range of services including branding, digital marketing, and technology consultancy. Their expertise spans various domains such as IP Telephony, Structured Cabling, Wireless Networking, CCTV, Security Systems, and Time & Attendance Systems. Their services are diverse, covering cloud services, web development, IT infrastructure, and modern security solutions. They provide hybrid solutions combining Microsoft 365 and Cloud Mail, ensuring seamless communication and productivity for businesses. They also offer cloud services such as AWS and Azure hosting, cloud consulting, migrations, and dedicated server hosting. Doodle Technologies also specializes in mobile app development, offering custom solutions for iOS, Android, and cross-platform applications. Their approach focuses on enhancing customer engagement, accessibility, and brand visibility, and providing valuable data insights. The data leak, following the ransomware attack, encompasses sensitive and confidential information related to the organization.

Source: Dark Web

Relevancy & Insights:
Arcus Media is a relatively new ransomware group that has recently made headlines with its attacks on various organizations across different sectors. The group, which emerged in May 2024, operates on a Ransomware-as-a-Service (RaaS) model, allowing other cybercriminals to use their malware for attacks. They are known for using phishing emails to gain initial access and then deploying custom ransomware binaries to execute their attacks.

ETLM Assessment:
Based on the available information, CYFIRMA’s assessment indicates that Arcus Media Ransomware will continue to target various industries globally, with a significant emphasis on the United States, Europe, and Asia. The recent incident involving an attack on Doodle Technologies, a prominent information technology company located in the United Arab Emirates, underscores the extensive threat posed by this particular ransomware strain in the Middle East region.

7. Data Leaks

Good Smile Company Data Advertised on a Leak Site

  • Attack Type: Data Leak
  • Target Industry: Manufacturing
  • Target Geography: Japan
  • Objective: Data Theft, Financial Gains
  • Business Impact: Data Loss, Reputational Damage

Summary:
The CYFIRMA Research team observed a potential data sale related to Good Smile Company in an underground forum. A threat actor published a database on a dark web forum claiming that it belongs to Good Smile Company. Good Smile Company is a Japanese manufacturer of hobby products and scale figures. The alleged leak is 184,245 rows in total, and there is data from 76,474 unique users.

According to the forum post, the data is from 2024. The post also contains sample data from the leak, and the alleged data includes Customer ID, Customer Name, E-Mail, Nickname, Customer Group, Status, IP, Date Added, Gender, Login, Type, and Address.

The threat actor claims that this will be a one-time sale and only XMR will be accepted as a form of payment. No contact information is mentioned in the post and those interested are requested to reach out to the threat actor via forum PMs. The data breach is allegedly claimed by the threat actor “888”.

Source: Underground Forums

Universitas Indonesia data advertised on a Leak Site

  • Attack Type: Data Leak
  • Target Industry: Education
  • Target Geography: Indonesia
  • Objective: Data Theft, Financial Gains
  • Business Impact: Data Loss, Reputational Damage

Summary:
The CYFIRMA Research team observed a potential data leak related to Universitas Indonesia in an underground forum. A threat actor has claimed responsibility for a data breach at the Universitas Indonesia, which reportedly occurred in July 2024. The Universitas Indonesia, a prestigious institution located in Jakarta, is said to have had the personal information of 10,936 users compromised.

The leaked data allegedly includes Personal identification numbers (pencaker_id, no_regis, no_ktp), Full names (nama), Place and date of birth (tempat, tanggal_lahir), Gender (jk),Physical attributes (tinggi, berat),Residential information (provinsi, kota_kab, kecamatan, kelurahan, rt, rw, jalan),Contact information (telp, email),Educational background (pend, jurusan, tahun_lulus),Employment details (jabatan, pt, lokasi, gaji, peng_kerja, lamanya),Additional personal information (agama, status, umur).

The data also includes information about user status, language proficiency, and verification statuses, among other personal details. The threat actor has shared samples of the data to validate the breach.

Source: Underground Forums

Relevancy & Insights:
Financially motivated cybercriminals are continuously scouring for exposed and vulnerable systems and applications to exploit. A significant number of these malicious actors congregate within underground forums, where they discuss cybercrime and trade stolen digital assets. Operating discreetly, these opportunistic attackers target unpatched systems or vulnerabilities in applications to illicitly gain access and steal valuable data. Subsequently, the pilfered data is advertised for sale within underground markets, where it can be acquired, repurposed, and utilized by other malicious actors in further illicit activities.

ETLM Assessment:
Based on CYFIRMA’s assessment, the financially motivated threat actor known as “888” poses a significant risk to organizations. This group is known to target any institution and profit from selling sensitive data on the dark web or underground forums. Organizations targeted by “888” typically have inadequate security measures, rendering them vulnerable to potential cyberattacks orchestrated by this threat actor.

Recommendations: Enhance the cybersecurity posture by

  • Updating all software products to their latest versions is essential to mitigate the risk of vulnerabilities being exploited.
  • Ensure proper database configuration to mitigate the risk of database-related attacks.
  • Establish robust password management policies, incorporating multi-factor authentication and role-based access, to fortify credential security and prevent unauthorized access.

8. Other Observations

The CYFIRMA Research team observed a potential data sale related to Celcom Axiata Berhad(Malaysia). A threat actor has claimed to have obtained and is now offering for sale the user database of Celcom Axiata Berhad, dating from 2023 to 2024. Celcom Axiata Berhad, the oldest mobile telecommunications provider in Malaysia and a member of the Axiata group, merged with Digi to form CelcomDigi on December 1, 2022.

The leaked data purportedly includes 30 million user information such as addresses, city details, IC numbers, mobile numbers, names, postcodes, sources, and states. The threat actor has listed the price for this data at $10,000 in BTC (negotiable), also accepting USDT. The data breach is allegedly claimed by the threat actor “Sh1mo”.

Source: Underground forums

The CYFIRMA Research team observed a potential data sale related to a U Mobile (Malaysia). According to a post from a dark web forum, a Malaysian telecom company, U Mobile, has been allegedly breached. The threat actor states that their cyber-attack impacted 4 million people.

In the forum post, the threat actor stated the price for the alleged leak as $5000 BTC and included a Telegram link for contact information.

According to the threat actor, the alleged leak contains name, address, city, IC number, mobile number, postcode, and state information. A sample from the leaked data is also added to the forum post. The data breach is allegedly claimed by the threat actor “Sh1mo”.

Source: Underground forums

ETLM Assessment:
The Threat Actor group “Sh1mo” has become active in underground forums and emerged as a formidable force in cybercrime, primarily motivated by financial gains. The group has already targeted industries including Government, Industrial Conglomerates, Retail, Staffing, Business Consulting, Banks, E-Commerce, and Electric & Utilities. This activity indicates Sh1mo’s intention to expand its attack surface to other industries globally in the future.

STRATEGIC RECOMMENDATIONS

  • Attack Surface Management should be adopted by organizations, ensuring that a continuous closed-loop process is created between attack surface monitoring and security testing.
  • Deploy a unified threat management strategy – including malware detection, deep learning neural networks, and anti-exploit technology – combined with vulnerability and risk mitigation processes.
  • Incorporate Digital Risk Protection (DRP) in the overall security posture that acts as a proactive defence against external threats targeting unsuspecting customers.
  • Implement a holistic security strategy that includes controls for attack surface reduction, effective patch management, active network monitoring, through next generation security solutions and ready to go incident response plan.
  • Create risk-based vulnerability management with deep knowledge about each asset. Assign a triaged risk score based on the type of vulnerability and criticality of the asset to help ensure that the most severe and dangerous vulnerabilities are dealt with first.

MANAGEMENT RECOMMENDATIONS

  • Take advantage of global Cyber Intelligence providing valuable insights on threat actor activity, detection, and mitigation techniques.
  • Proactively monitor the effectiveness of risk-based information security strategy, the security controls applied and the proper implementation of security technologies, followed by corrective actions remediations, and lessons learned.
  • Move beyond the traditional model of security awareness towards improved simulation and training exercises that mimic real attack scenarios, account for behaviours that lead to a compromised and are measured against real attacks the organization receives.
  • Consider implementing Network Traffic Analysis (NTA) and Network Detection and Response (NDR) security systems to compensate for the shortcoming of EDR and SIEM solutions.
  • Detection processes are tested to ensure awareness of anomalous events. Timely communication of anomalies and continuously evolved to keep up with refined ransomware threats.

TACTICAL RECOMMENDATIONS

  • Patch software/applications as soon as updates are available. Where feasible, automated remediation should be deployed since vulnerabilities are one of the top attack vectors.
  • Build and undertake safeguarding measures by monitoring/ blocking the IOCs and strengthen defences based on tactical intelligence provided
  • Deploy detection technologies that are behavioural anomaly-based to detect ransomware attacks and help to take appropriate measures.
  • Implement a combination of security control such as reCAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart), Device fingerprinting, IP backlisting, Rate-limiting, and Account lockout to thwart automated brute-force attacks.
  • Ensure email and web content filtering uses real-time blocklists, reputation services, and other similar mechanisms to avoid accepting content from known and potentially malicious sources.

Situational Awareness – Cyber News

Please find the Geography-Wise and Industry-Wise breakup of cyber news for the last 5 days as part of the situational awareness pillar.

Geography-Wise Graph

Industry-Wise Graph

For situational awareness intelligence and specific insights mapped to your organisation’s geography, industry, technology, please access DeCYFIR.