Self Assessment

Weekly Intelligence Report – 27 Oct 2023

Published On : 2023-10-26
Share :
Weekly Intelligence Report – 27 Oct 2023

Ransomware of the Week

CYFIRMA Research and Advisory Team would like to highlight ransomware trends and insights gathered while monitoring various forums. This includes multiple – industries, geography, and technology – which could be relevant to your organization.

Type: Ransomware.
Target Technologies: MS Windows.
Targeted Geography: Austria, Australia, China, France, Netherlands, United Kingdom, United States.
Targeted Industries: Business Services, Construction, Education, Furniture, Healthcare Services, Home Improvement Retailers, Hotels, IT, Manufacturing, Metals & Mining, Real Estate.


CYFIRMA Research and Advisory Team has found an update of INC/INC. Ransom ransomware while monitoring various underground forums as part of our Threat Discovery Process.

INC/INC. Ransom:

INC ransomware strain emerged at the end of July of 2023. The ransomware will encrypt the files and append them with the “.INC” extension.

Recent Observations.

The initial access methods of ransomware can vary, with observed techniques encompassing spear-phishing emails and the targeting of vulnerable services. This targeting extends to the exploitation of CVE-2023-3519(CVSS-9.8) in Citrix NetScaler. Once initial access is achieved, a diverse range of Living off the Land Binaries (LOLBINs) is employed for ongoing internal reconnaissance and lateral movement. The tools used in ransomware operations consist of:

  • NETSCAN.EXE – Multi-protocol network scanner and profiler
  • MEGAsyncSetup64.EXE – Desktop application for MEGA file sharing/synchronization/cloud services
  • ESENTUTL.EXE – Microsoft utility for database management and recovery
  • AnyDesk.exe – Remote management/Remote Desktop

The ransomware payloads support multiple command-line arguments. Commands supported by Inc ransomware include:

Argument : Function
–file : Target a file directly for encryption (path)
–dir : Target a directory for encryption (path)
–sup : Stop using process
–ens : Encrypt network shares
–lhd : Local hidden drives (encrypt hidden boot and recovery volumes)
–debug : Output console-style debug logging

In case the threat actor excludes the utilization of command-line arguments, the payload will directly encrypt the local device’s data, encompassing all accessible volumes and files.

Copies of the ransom notes are generated in both .TXT and .HTML formats, designated as “INC-README.TXT” and “INC-README.HTML,” respectively.

Every victim receives a unique personal ID within their ransom notes, which they are expected to use when visiting the payment site.

It’s important to note that the ransomware seems to try to erase Volume Shadow Copies (VSS).

The ransomware payloads contain the following debug strings. C:\source\INC Encryptor\Release\INC Encryptor.pdb

Files Encrypted by INC Ransomware(Source: Surface web)

INC Ransomware Note (source: surface web)

Countries Targeted by INC Ransomware

Relevancy and Insights:

  • This ransomware targets the Windows Operating system commonly used by many organizations of various industries. The recent victims are:
  • Education and Software industries in the United States
  • Real Estate industry in Australia
  • USB Bus Checks: The ransomware is actively monitoring and checking the USB bus for connected devices. This behaviour suggests that the ransomware may be attempting to propagate itself by spreading through removable media, such as USB drives. It could be searching for specific files or vulnerabilities on connected devices to further spread its malicious payload.
  • User Input Checks: The ransomware is also performing checks on user input. This behaviour implies that the ransomware may have the ability to interact with the user or receive commands in some way. It could be looking for specific inputs or triggers to initiate its encryption process or carry out other malicious activities. This behaviour indicates a level of sophistication and interactivity in the ransomware’s design.
  • Command-Line Flexibility: The ransomware’s support for multiple command-line arguments (such as targeting specific files, directories, network shares, or hidden drives) provides threat actors with flexibility and control over the encryption process. This versatility can make the ransomware more effective and damaging.
  • Volume Shadow Copy: VSS is used for data recovery and backup purposes, and by deleting it, the ransomware aims to hinder victims’ ability to restore their files without paying the ransom, increasing the pressure on them to comply with the attackers’ demands.
  • Based on the list of victims, it is conceivable that the ransomware’s primary focus might be the United States.

ETLM assessment

Based on available information, CYFIRMA’s assessment asserts that INC ransomware is likely to continue focusing on Windows OS systems, with a strong emphasis on propagating through USB drives, sophisticated user interaction capabilities, and flexibility in its encryption methods. Its primary aim seems to be disrupting critical sectors, with the United States being a potential primary target.

Following are the TTPs based on the MITRE Attack Framework.

Sr. No Tactics Techniques/Sub-Techniques
1 TA0001: Initial Access T1091: Replication Through Removable Media
T1190: Exploit Public-Facing Application
2 TA0002: Execution T1059: Command and Scripting Interpreter
T1129: Shared Modules
T1569.002: System Services: Service Execution
3 TA0003: Persistence T1574.002: Hijack Execution Flow: DLL Side-Loading
4 TA0004: Privilege Escalation T1574.002: Hijack Execution Flow: DLL Side-Loading
5 TA0005: Defense Evasion T1027: Obfuscated Files or Information
T1036: Masquerading
T1140: Deobfuscate/Decode Files or Information
T1222: File and Directory Permissions Modification
T1574.002: Hijack Execution Flow: DLL Side-Loading
6 TA0006: Credential Access T1056: Input Capture
7 TA0007: Discovery T1082: System Information Discovery
T1083: File and Directory Discovery
T1120: Peripheral Device Discovery
8 TA0008: Lateral Movement T1091: Replication Through Removable Media
9 TA0009: Collection T1056: Input Capture
10 TA0011: Command and Control T1090: Proxy
11 TA0040: Impact T1486: Data Encrypted for Impact

Indicators of Compromise
Kindly refer to the IOCs section to exercise controls on your security systems.


  • Implement competent security protocols and encryption, authentication, or access credentials configurations to access critical systems in your cloud and local environments.
  • Ensure that backups of critical systems are maintained which can be used to restore data in case a need arises.


  • A data breach prevention plan must be developed considering, (a) the type of data being managed by the company; (b) the remediation process; (c) where and how the data is stored; (d) if there is an obligation to notify the local authority.
  • Enable zero-trust architecture and multifactor authentication (MFA) to mitigate the compromise of credentials.
  • Foster a culture of cybersecurity, where you encourage and invest in employee training so that security is an integral part of your organization.


  • Update all applications/software regularly with the latest versions and security patches alike.
  • Build and undertake safeguarding measures by monitoring/ blocking the IOCs and strengthening defence based on the tactical intelligence provided.

Trending Malware of the Week

Type: Information Stealer
Objective: Credentials & Data Theft
Target Technology: Windows OS

Active Malware of the Week

This week “ExelaStealer” is trending.


In 2023, the InfoStealer market is competitive with established players like RedLine, Raccoon, and Vidar holding a significant market share. Researchers discovered that ExelaStealer is a recent addition to the crowded landscape of information stealers targeting Windows systems. These malware types are designed to capture sensitive data. Despite the prevalence of such infostealers, ExelaStealer’s emergence highlights the potential for new players to establish themselves in this space.


ExelaStealer is an open-source InfoStealer primarily written in Python, but it can incorporate resources from other languages like JavaScript. This tool allows threat actors to steal sensitive data from Windows-based systems, including passwords, credit card information, cookies, session data, and key logs.

ExelaStealer: Dark Web Ads and Prices

ExelaStealer is advertised on the Dark Web, offering both open-source and paid versions. The advertisements provide valuable insights into its capabilities. These ads seem to be posted by “quicaxd,” the primary contact for ExelaStealer. The pricing includes $20 for one month of use, $45 for three months, and a lifetime subscription for $120.

ExelaStealer’s active Telegram channel allows users to access both the paid and open- source versions via GitHub repository.

Technical Analysis of Exela Stealer

Researchers observed that the binaries analyzed appeared to be linked to a specific campaign, a conclusion further supported by the presence of a decoy document.

Regrettably, the initial infection vector was unclear, but it could have been initiated through various means, including phishing, watering holes, or other malware distribution.

The binary “sirket-ruhsat-pdf.exe” serves as the initial stage for deployment. Its primary functions include launching the “sirket-ruhsat-pdf.exe” executable and displaying a decoy PDF document named “BNG 824 ruhsat.pdf” to the user. Both of these files are deposited into the root of the C: Drive.

The “sirket-ruhsat-pdf.exe” attempts to find a compatible PDF viewer and open the decoy document,The PDF is a copy of a Turkish vehicle registration certificate for a Dacia Duster. which is entirely benign and serves as a visual distraction.

Static Analysis of “sirket-ruhsat-pdf.exe”:

  • “sirket-ruhsat-pdf.exe” is a PyInstaller executable.
  • A tool like “pyinstxtractor” can be used to extract the archive’s contents for inspection.
  • The executable is likely signed with a fraudulent or invalid certificate and disguises itself as “Runtime Broker,” a legitimate Microsoft process.
  • The code in the “Obfuscated.pyc” file can be decompiled using tools like “pycdc.”
  • The code contains obfuscated function names and variable values, making static analysis time-consuming but not impossible.

Dynamic Analysis of “sirket-ruhsat-pdf.exe”:

  • The binary spawns itself as a new process.
  • ExelaStealer, which it deploys, collects Windows version information and the host’s UUID.
  • It then executes a base-64 encoded PowerShell command, collecting data on clipboard images, system information, physical disk details, user information, firewall status, and WLAN status and profiles.
  • The collected information is stored locally in a folder named after the host’s UUID in “C:\Users\<user>\AppData\Local\Temp\.”
  • Each text file within the folder contains a URL leading to the TA’s Telegram channel.
  • The files are packaged into a Zip archive using the UUID as the archive name and sent to a TA-controlled Discord channel using a Discord webhook.
  • This analysis provides a detailed understanding of the functionality and operation of “sirket- ruhsat-pdf.exe” and its associated ExelaStealer payload.


  • The emergence of a new info-stealer underscores the potential for new threat actors to enter the scene and establish themselves. This information stealer poses a risk as it enables attackers to utilize stolen data, which can be used for purposes like blackmail, espionage, or ransom. Given the ongoing threat, organizations are advised to bolster their security measures to safeguard critical assets and infrastructure.
  • ExelaStealer is an open-source info-stealer that offers paid customizations, making it attractive to cybercriminals seeking to profit from its capabilities. In a data-driven world, the pursuit of valuable data is likely to persist indefinitely. In addition to its existing capabilities, cybercriminals are actively planning to extend Exela’s functionalities, further increasing its threat potential.
  • ExelaStealer not only collects system information that can help cybercriminals identify vulnerabilities but also extracts clipboard data, active window titles, and details about running processes, potentially exposing sensitive information. These planned enhancements would increase the threat level posed by ExelaStealer, making it a more potent and versatile tool in the hands of malicious actors.


From the ETLM perspective, CYFIRMA expects that the future of info-stealers, like ExelaStealer is likely to involve increased sophistication, broader target diversity across industries, and the integration of multifaceted capabilities. Cybercriminals are currently in the process of expanding the capabilities of the Exela stealer beyond its current functionalities. By incorporating these new capabilities, it will become an even more formidable and versatile tool in the arsenal of fraud-related actors, heightening the risks associated with its usage. In today’s tech-driven world, where cyber threats are constantly evolving and becoming smarter, staying one step ahead is crucial to ensuring the security of your data and systems.

Indicators of Compromise
Kindly refer to the IOCs Section to exercise controls on your security systems.


  • Establish a robust security posture that is thoughtfully layered with a series of security mechanisms and controls in the network to protect the confidentiality, integrity, and availability of critical data.
  • Configure organization’s intrusion detection systems (IDS), intrusion prevention systems (IPS), or any network defence mechanisms in place to alert on — and upon review, consider blocking connection attempts to and from — the external IP addresses and domains listed in the appendix.


  • Implement real-time website monitoring to analyze network traffic going in and out of the website to detect malicious behaviours.
  • Secure your organization’s internet-facing assets with robust security protocols and encryption, including authentication or access credentials configuration, to ensure that critical information stored in databases/servers is always safe.
  • Actively monitor the infrastructure for potential exploitation attempts and respond accordingly.


  • Build and undertake safeguarding measures by monitoring/ blocking the IOCs and strengthening defence based on the tactical intelligence provided.
  • Use multi-factor authentication (MFA) to mitigate credential theft and prevent attacker access. Keep MFA always-on for privileged accounts and apply risk-based MFA for normal accounts.
  • Enable Network traffic/security monitoring, security incident detection, notification, and alerting by leveraging SIEM solutions.

Weekly Intelligence Trends/Advisory

Weekly Attack Type and Trends

Key Intelligence Signals:

  • Attack Type: Malware Implants, Ransomware Attacks, Vulnerabilities & Exploits, DDoS, Data Leaks.
  • Objective: Unauthorized Access, Data Theft, Data Encryption, Financial Gains.
  • Business Impact: Data Loss, Financial Loss, Reputational Damage, Loss of Intellectual Property, Operational Disruption.
  • Ransomware –Black Basta Ransomware | Malware – ExelaStealer
  • Black Basta Ransomware – One of the ransomware groups.
  • Please refer to the trending malware advisory for details on the following:
  • Malware – ExelaStealer
  • Behaviour –Most of these malwares use phishing and social engineering techniques as
    their initial attack vectors. Apart from these techniques, exploitation of vulnerabilities, defence evasion, and persistence tactics are being observed.

Threat Actor in Focus

Threat Actors Weaponize Malicious Script to Mine Cryptocurrency

  • Threat Actors: Unknown
  • Attack Type: Unknown
  • Objective: Financial Gains
  • Target Technology: Windows
  • Target Geographies: Worldwide
  • Target Industries: B2B industry
  • Business Impact: Operational Disruption

In a recent observation, many unknown threat actors were observed employing malicious scripts. In April of this year, the FBI issued an advisory warning about a series of cyberattacks targeting government, law enforcement, and non-profit organizations. These attacks involve the deployment of multiple types of malwares on victims’ devices. The primary objectives of the attackers are to harness company resources for cryptocurrency mining, steal sensitive data through keyloggers, and establish unauthorized backdoor access to computer systems. Upon investigation of the indicators of compromise identified in the FBI’s April report, previously undisclosed malicious scripts were discovered in August. These scripts attempted to manipulate Windows Defender, with one script disabling the security software and another attempting to add specific files to its exceptions list. The attackers also gained administrator privileges and renamed folders associated with security solutions to avoid detection. Further investigation revealed that the scripts aimed to mine Monero cryptocurrency on the infected devices. The malware collected keystrokes through a keylogger and established a backdoor connection to a command-and-control server. Over 10,000 attacks on more than 200 users worldwide have been recorded since May 2023, with a focus on the B2B sector, affecting various types of organizations in countries including Russia, Saudi Arabia, Vietnam, Brazil, Romania, and sporadically in the United States, India, Morocco, and Greece.

Relevancy & Insights:
The menace encompasses a combination of various malware, such as cryptocurrency miners and keyloggers, targeting a diverse set of victims. Neither the FBI, nor Kaspersky has publicly attributed this campaign to a specific cyberthreat group.

ETLM Assessment:
The cryptocurrency market, valued at $1.28 trillion, presents an appealing opportunity for hackers to target cryptocurrency traders and wallets. It’s clear that if malicious scripts, which primarily infiltrate systems by exploiting vulnerabilities in servers and computers, fall into the hands of threat actors with the objective of financial gains, they will use them extensively to steal cryptocurrency. As the cryptocurrency market continues to expand, the risk to the cryptocurrency owners facing various types of cyber-attacks by financially motivated threat actors will also increase in the future.


  • Enable 2FA on your crypto wallet accounts. This adds an extra layer of security by requiring you to provide a second authentication method, such as a one-time code from a mobile app, in addition to your password. This significantly enhances the protection of your wallet against unauthorized access.
  • Keep all software, including operating systems and security programs, up to date. Regularly apply security patches to address known vulnerabilities. This is critical in preventing attackers from exploiting security weaknesses.
  • Educate employees and users about the risks associated with downloading and executing scripts. Promote cybersecurity awareness and best practices to reduce the likelihood of falling victim to social engineering tactics, like phishing.
  • Deploy robust endpoint security solutions that include features for malware detection, intrusion prevention, and behavioural analysis. These tools can help identify and block malicious scripts and executables.
  • Employ network monitoring tools to detect unusual or suspicious activities in real time. Utilize threat intelligence to stay informed about emerging threats and to better defend against them.

Indicators of Compromise
Kindly refer to the IOCs (Indicators of Compromise) Section to exercise controls on your security systems.

Major Geopolitical Developments in Cybersecurity

Five Eyes warn of AI-enabled Chinese Espionage
The Five Eyes countries of Australia, Canada, New Zealand, the United Kingdom and
the United States have made an unprecedented step of publicly campaigning for industry and academic help on the issue of Chinese cyber and AI enabled IP theft. The chiefs of counterintelligence have made an unusually open appearance on American TV program 60 Minutes (CBS), where they publicly aired their concerns in an unprecedented joint appearance. The U.S. FBI Director Christopher Wray said the “unprecedented” joint call was meant to confront the “unprecedented threat” China poses to innovation across the world. According to the officials, China is stealing secrets in various sectors, from quantum technology and robotics to biotechnology and artificial intelligence to defense and manufacturing. The U.S. has long accused China of intellectual property theft and the issue has been a key sore point in U.S.-China relations. But this is the first time the Five Eyes members have joined publicly to call out China on it.

ETLM Assessment:
Such espionage is nothing new, especially coming from China. The warnings expressed are an echo of warnings issued by Cyfirma in the report on Chinese IP theft with the addition of new threats posed by AI-assisted data theft efforts. However, what the Five Eyes find particularly unsettling, is the use of artificial intelligence in these campaigns, given its potential to amplify and augment the threat. Chinese hackers have been mainly focusing on the defense industrial base, successfully compromising the networks of contractors to the Pentagon’s U.S. Transportation Command, 20 times in a single year, while many other incursions have probably never been found. Some researchers are also worried China is trying to position itself in a way it could try to paralyze U.S. critical infrastructure in case of eruption of conflict between the two countries over the issue of Taiwan.

Iranian hackers active among Middle East tensions
Iran’s OilRig threat group (also known as APT34) has conducted an eight-month intrusion campaign against a rival Middle Eastern government, according to recently published research. Iranian hackers stole files and passwords and, in one case, installed a PowerShell backdoor (dubbed PowerExchange), that was used to monitor incoming mails sent from an Exchange Server, to execute commands sent by the attackers in the form of emails, and surreptitiously forwarded results to the attackers. The researchers have not specified the specific government and entity targeted in this campaign, but OilRig has historically targeted Saudi Arabia, Israel, the United Arab Emirates, Iraq, Jordan, Lebanon, Kuwait or Qatar, as the Iranian government has security interest in virtually every country in the region.

ETLM Assessment:
There are likely similar campaigns by other Iranian actors pursuing the same goals of data exfiltration for the purpose of espionage. The cyber realm has been taking the form of the vanguard of geopolitical statecraft with the Middle East serving as the hotbed of both geopolitics and subsequently innovation and use of cyber intelligence collection, cyber warfare and integration of cyber warfare with kinetic means of conflict.

Hacktivism and influence operations continue to dominate the cyber side of the Hamas- Israel war
Opportunistic nuisance-level hacktivism remains a defining feature of cyber operations in the Hamas-Israel confrontation. Influence operations compete for accountability for the explosion that occurred at Gaza’s Al Ahli Hospital. The US Intelligence Community has tentatively concluded that the explosion appears to have been an accident caused by a Palestinian Islamic Jihad missile that malfunctioned and was fired from Gaza into Israel. That was Israel’s stance soon after the event. However, Hamas’s assertions that the explosion was caused by an Israeli airstrike are still widely believed and shared among Islamist and larger Arab circles, where they have sparked this week’s wave of protests. Most hacktivism stirred by the conflict has been carried out with Hamas’ benefit in sight. Private-sector players operating in Israel appear to have focused on gathering and analyzing information, especially when it comes to identifying and finding captives abducted during the early Hamas strikes.

ETLM Assessment:
Israel will seek to eliminate the threat posed by the Palestinian militant group for good, but that will require extensive bombing followed by boots-on-the-ground fighting in the Palestinian territory itself. This will cause very high collateral damage and civilian casualties in the Gaza strip, which could draw in other adversaries, including Hezbollah, al-Qaeda or even Iran. The cyberspace part of the conflict is likely just in its beginning and we are likely to see a spike in the activity of Iranian APTs attacking countries that support Israel. Russia might throw its weight behind some of the activity as well, as intensification of the conflict suits its interest, driving attention from its war in Ukraine and consuming resources that could otherwise help its western neighbor.

Rise in Malware/Ransomware and Phishing

Simpson Strong-Tie is Impacted by Black Basta Ransomware

  • Attack Type: Ransomware
  • Target Industry: Building Materials and Fixtures
  • Target Geography: The United States of America
  • Ransomware: Black Basta Ransomware
  • Objective: Data Theft, Data Encryption, Financial Gains
  • Business Impact: Financial Loss, Data Loss, Reputational Damage

From the External Threat Landscape Management (ETLM) Perspective, CYFIRMA observed in the dark forum that a company from The United States of America, (www[.]strongtie[.]com), was compromised by Black Basta Ransomware. Simpson Strong-Tie is the world leader in structural engineering solutions and deeply dedicated to a mission of helping people design and build safer, stronger structures. The data, which has been breached, has not yet appeared on the leak site, indicating that negotiations between the affected party and the ransomware group may be underway. This compromised data includes highly confidential and sensitive information pertaining to the organization, totaling around 71.5 GB.

The following screenshot was observed published on the dark web:

Source: Dark Web

Relevancy & Insights:

  • Based on our observations in 2023, it has become clear that the Black Basta Ransomware group primarily directs its attention towards organizations based in the USA, making up 62 % of their main targets.
  • Based on the Black Basta Ransomware victims list in 2023, the top 5 Target countries are as follows:
  • Ranking the Top 10 Industries, most affected by Black Basta Ransomware

ETLM Assessment:
CYFIRMA’s assess Basta Ransomware will continue to prioritise American businesses and their associated entities that store substantial volumes of Personally Identifiable Information (PII).

Vulnerabilities and Exploits

Vulnerability in OMRON CX-Designer: 3.740

  • Attack Type: Vulnerabilities & Exploits
  • Target Technology: Server Applications / SCADA System
  • Vulnerability: CVE-2023-43624 (CVSS Base Score 5.5)
  • Vulnerability Type: Improper Restriction of XML External Entity Reference (‘XXE’)

The vulnerability allows a remote attacker to gain access to sensitive information.

Relevancy & Insights:
The vulnerability exists due to insufficient validation of user-supplied XML input. A remote attacker can pass a specially crafted XML code to the affected application and view contents of arbitrary files on the system or initiate requests to external systems.

Successful exploitation of the vulnerability may allow an attacker to view contents of arbitrary files on the server or perform network scanning of internal and external infrastructure.

Affected Products:
https://www[.]fa[.]omron[.]co[.]jp/product/security/assets/pdf/en/OMSR- 2023-011_en.pdf

Monitoring and Detection: Implement monitoring and detection mechanisms to identify unusual system behavior that might indicate an attempted exploitation of this vulnerability.

This week, CYFIRMA researchers have observed significant impacts on various products due to a range of vulnerabilities. The following are the top 5 most affected products.

Latest Cyber-Attacks, Incidents, and Breaches

Cyber Attacks Target the Websites of the Czech Police, Interior Ministry, and Airport.

  • Threat Actors: NoName057
  • Attack Type: DDoS
  • Objective: Operational Disruption
  • Target Technology: Web Application
  • Target Geographies: The Czech Republic
  • Business Impact: Operational Disruption


  • On the morning of October 23, 2023, both the Czech Interior Ministry and the police websites experienced a disruption in service, lasting approximately two hours, attributed to a distributed denial-of-service (DDoS) attack. Prague airport also encountered a similar DDoS attack, resulting in website unavailability between 11 a.m. and 12 p.m., as confirmed on their Twitter account. Importantly, the airport operations remained unaffected. The Interior Ministry promptly responded to the situation by implementing protective measures, including access restrictions from foreign sources, and expressed their commitment to restoring normal website functionality via a Twitter announcement.
  • Interior Minister Vit Rakusan (STAN) revealed that one of the possible investigation angles pointed to the involvement of Russian hackers group; NoName057, as the culprits behind the attacks, orchestrated through the DDosia platform. This group extended its cyber assault to the Czech government’s website, as well as the websites of the lower and upper houses of parliament. While the government’s website remained inaccessible as of around 2 p.m., the other targeted websites had already returned to normal operations. NoName057, with its association with the pro-Russian cause, had been actively targeting nations supportive of Ukraine, since the commencement of the conflict. These attacks were seen as a direct response to the ongoing Crimea Platform international summit hosted in Prague, aimed at facilitating the restoration of Ukraine’s territorial integrity.

Relevancy & Insights:
CYFIRMA’s assesses the motivation behind the recent attacks on the Czech Interior Ministry, the police, Prague airport and the increase in other cyber-attacks against Czech institutions. They are mainly attributed to the Czech republic’s on-going support for Ukraine. CYFIRMA has observed similar such attacks against other NATO members, and therefore, we assess the Crimea Platform international summit held in Prague would have served as further encouragement to pro-Russian threat actors.

ETLM Assessment:
CYFIRMA assesses other NATO countries that play host to similar summits are at an increased risk of DDoS attacks from pro-Russian Hacktivists groups.

Data Leaks

Toumei Data Advertised in Leak Site

  • Attack Type: Data Leaks
  • Target Industry: Telecommunication
  • Target Geography: Japan
  • Objective: Data Theft, Financial Gains
  • Business Impact: Data Loss, Reputational Damage

CYFIRMA Research team observed a potential data leak related to Toumei,
{www[.]toumei[.]co[.]jp}. Toumei Co Ltd is a company that operates in the telecommunications industry. The data that has been compromised includes usernames, email addresses, and a range of other sensitive information. The overall data size amounts to 8 gigabytes.

Source: Underground forums

Relevancy & Insights:
Cyber perpetrators motivated by financial gains persistently search for susceptible and
inadequately protected systems and software applications. A significant number of these illicit actors operate within hidden online communities, engaging in discussions related to cybercrime and the illicit trade of pilfered digital assets. Distinguishing themselves from other financially motivated groups such as ransomware or extortion collectives, who often publicize their attacks, these cybercriminals prefer to maintain a low-profile presence. Exploiting unpatched systems or vulnerabilities in software and hardware, they gain unauthorized access and abscond with valuable information. Subsequently, they advertise the stolen data on secretive forums, where it is either resold or repurposed by other malevolent entities for their own unlawful agendas.

ETLM Assessment:
CYFIRMA assess financially motivated cybercriminals consider Japan and other developed economies in Asia a primary target. Therefore, CYFIRMA considers there to be a continual and on-going risk to companies in technologically advanced nations, such as Japan. Telecommunications and other industries will continue to be targeted by financially motivated threat actors.

Other Observations

CYFIRMA Research team observed a potential data leak related to Moodle,
{www[.]moodle[.]com}. Moodle is a learning platform designed to provide educators, administrators, and learners with a single robust, secure, and integrated system to create personalized learning environments. The breached data consists of session details, emails, password hashes, and other confidential information in SQL format, with a total data size of 3 gigabytes.

Source: Underground forums


  • Attack Surface Management should be adopted by organizations, ensuring that a continuous closed-loop process is created between attack surface monitoring and security testing.
  • Deploy a unified threat management strategy – including malware detection, deep learning neural networks, and anti-exploit technology – combined with vulnerability and risk mitigation processes.
  • Incorporate Digital Risk Protection (DRP) in the overall security posture that acts as a proactive defence against external threats targeting unsuspecting customers.
  • Implement a holistic security strategy that includes controls for attack surface reduction, effective patch management, active network monitoring, through next generation security solutions and ready to go incident response plan.
  • Create risk-based vulnerability management with deep knowledge about each asset. Assign a triaged risk score based on the type of vulnerability and criticality of the asset to help ensure that the most severe and dangerous vulnerabilities are dealt with first.


  • Take advantage of global Cyber Intelligence providing valuable insights on threat actor activity, detection, and mitigation techniques.
  • Proactively monitor the effectiveness of risk-based information security strategy, the security controls applied and the proper implementation of security technologies, followed by corrective actions remediations, and lessons learned.
  • Move beyond the traditional model of security awareness towards improved simulation and training exercises that mimic real attack scenarios, account for behaviours that lead to a compromised, and are measured against real attacks the organization receives.
  • Consider implementing Network Traffic Analysis (NTA) and Network Detection and Response (NDR) security systems to compensate for the shortcoming of EDR and SIEM solutions.
  • Detection processes are tested to ensure awareness of anomalous events. Timely communication of anomalies and continuously evolved to keep up with refined ransomware threats.


  • Patch software/applications as soon as updates are available. Where feasible, automated remediation should be deployed since vulnerabilities are one of the top attack vectors.
  • Consider using security automation to speed up threat detection, improve incident response, increase the visibility of security metrics, and rapid execution of security checklists.
  • Build and undertake safeguarding measures by monitoring/ blocking the IOCs and strengthen defences based on tactical intelligence provided.
  • Deploy detection technologies that are behavioural anomaly-based to detect ransomware attacks and help to take appropriate measures.
  • Implement a combination of security control such as reCAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart), Device fingerprinting, IP backlisting, Rate-limiting, and Account lockout to thwart automated brute-force attacks.
  • Ensure email and web content filtering uses real-time blocklists, reputation services, and other similar mechanisms to avoid accepting content from known and potentially malicious sources.