Self Assessment

Weekly Intelligence Report – 27 Sep 2024

Published On : 2024-09-27
Share :
Weekly Intelligence Report – 27 Sep 2024

Ransomware of the Week

CYFIRMA Research and Advisory Team would like to highlight ransomware trends and insights gathered while monitoring various forums. This includes multiple – industries, geography, and technology – which could be relevant to your organization.

Type: Ransomware
Target Technologies: MS Windows

Introduction
CYFIRMA Research and Advisory Team has found Foxtrot Ransomware while monitoring various underground forums as part of our Threat Discovery Process.

Foxtrot Ransomware
Researchers have discovered a new ransomware variant named Foxtrot. This ransomware encrypts files, appends the “.foxtrot70” extension to the filenames, and generates a ransom note titled “How_to_back_files.html.” Further analysis revealed that Foxtrot is part of the MedusaLocker ransomware family.

By the ransom note it is clear that this ransomware variant targets companies rather than individuals.

Screenshot of files encrypted by this ransomware (Source: SurfaceWeb)

The appearance of Foxtrot ransomware’s ransom note (“How_to_back_files.html”) (Source: Surface Web)

The ransom note states that all important files have been encrypted using a combination of RSA and AES encryption methods. It claims that the files are safe but emphasizes that they can only be restored by the attackers. The note warns against using third-party software to recover the files, stating that such attempts will permanently corrupt them.

Furthermore, the ransom note says that the attackers gathered highly confidential and personal data and will release it publicly if the ransom is not paid. They offer to decrypt a few non-sensitive files for free to prove their decryption capabilities.

Lastly, the note provides two contact emails and says that the ransom price will increase if cybercriminals are not contacted within 72 hours.

Following are the TTPs based on the MITRE Attack Framework.

Sr. No Tactics Techniques/Sub-Techniques
1 TA0001: Initial Access T1091: Replication Through Removable Media
2 TA0002: Execution T1047: Windows Management Instrumentation
T1059: Command and Scripting Interpreter
T1129: Shared Modules
3 TA0003: Persistence T1542.003: Pre-OS Boot: Bootkit
T1543.003: Create or Modify System Process: Windows Service
T1547.001: Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
T1574.002: Hijack Execution Flow: DLL Side-Loading
4 TA0004: Privilege Escalation T1134.004: Access Token Manipulation: Parent PID Spoofing
T1543.003: Create or Modify System Process: Windows Service
T1547.001: Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
T1548: Abuse Elevation Control Mechanism
T1574.002: Hijack Execution Flow: DLL Side-Loading
5 TA0005: Defense Evasion T1027.005: Obfuscated Files or Information: Indicator Removal from Tools
T1036: Masquerading
T1070.004: Indicator Removal: File Deletion
T1112: Modify Registry
T1134.004: Access Token Manipulation: Parent PID Spoofing
T1140: Deobfuscate/Decode Files or Information
T1202: Indirect Command Execution
T1222: File and Directory Permissions Modification
T1497: Virtualization/Sandbox Evasion
T1548: Abuse Elevation Control Mechanism
T1562.001: Impair Defenses: Disable or Modify Tools
T1574.002: Hijack Execution Flow: DLL Side-Loading
6 TA0006: Credential Access T1056.001: Input Capture: Keylogging
7 TA0007: Discovery T1012: Query Registry
T1057: Process Discovery
T1082: System Information Discovery
T1083: File and Directory Discovery
T1120: Peripheral Device Discovery
T1497: Virtualization/Sandbox Evasion
T1518.001: Software Discovery: Security Software Discovery
T1614: System Location Discovery
8 TA0008: Lateral Movement T1091: Replication Through Removable Media
9 TA0009: Collection T1056.001: Input Capture: Keylogging
T1074: Data Staged
10 TA0011: Command and Control T1071: Application Layer Protocol
T1090: Proxy
11 TA0040: Impact T1486: Data Encrypted for Impact

Relevancy and Insights:

  • This ransomware specifically targets the widely used Windows Operating System, which is prevalent across numerous industries and organizations.
  • Detect-Debug-Environment: Debugging environments are used by developers to analyze and troubleshoot software. The ransomware uses this technique to determine whether it is operating in a debug environment. This feature aids the ransomware in avoiding analysis and detection attempts.
  • Calls to WMI: The ransomware is making calls to the Windows Management Instrumentation (WMI) framework. WMI is a powerful tool used by many legitimate applications and services, but it can also be exploited by malware to execute commands, collect information, or perform system modifications.
  • The Ransomware places itself in “HKEY_LOCAL_MACHINE\ SOFTWARE \Microsoft\Windows NT\CurrentVersion\Image File Execution Options\” to manipulate the execution behaviour of the image. This registry key allows the ransomware to achieve persistence, silently execute alongside or instead of legitimate images, and maintain control over compromised systems, evading detection.
  • The ransomware’s attempt to delete Volume Shadow Copies (VSS) indicates a deliberate effort to hinder data recovery options for victims.

ETLM Assessment:
CYFIRMA’s analysis, based on available data, indicates that MedusaLocker ransomware has been actively targeting a broad range of sectors—including manufacturing, healthcare, finance, IT services, and others since 2019. The projections suggest that Foxtrot, a more sophisticated variant of MedusaLocker, will likely utilize advanced evasion techniques to expand its reach, affecting both individuals and businesses. It is expected to continue targeting major industries globally. As a result, staying vigilant and adopting strong cybersecurity measures are essential to effectively mitigate these evolving threats.

SIGMA Rule:
title: Boot Configuration Tampering Via Bcdedit.EXE
tags:
– attack.impact
– attack.t1490
logsource:
category: process_creation
product: windows
detection:
selection_img:
– Image|endswith: ‘\bcdedit.exe’
– OriginalFileName: ‘bcdedit.exe’
selection_set:
CommandLine|contains: ‘set’
selection_cli:
– CommandLine|contains|all:
– ‘bootstatuspolicy’
– ‘ignoreallfailures’
– CommandLine|contains|all:
– ‘recoveryenabled’
– ‘no’
condition: all of selection_*
fields:
– ComputerName
– User
– CommandLine
falsepositives:
– Unlikely
level: high

(Source: SurfaceWeb)

Indicators of Compromise
Kindly refer to the IOCs section to exercise controls on your security systems.

STRATEGIC RECOMMENDATION

  • Implement competent security protocols and encryption, authentication, or access credentials configurations to access critical systems in your cloud and local environments.
  • Ensure that backups of critical systems are maintained which can be used to restore data in case a need arises.

MANAGEMENT RECOMMENDATION

  • A data breach prevention plan must be developed considering, (a) the type of data being managed by the company; (b) the remediation process; (c) where and how the data is stored; (d) if there is an obligation to notify the local authority. 
  • Enable zero-trust architecture and multifactor authentication (MFA) to mitigate the compromise of credentials.
  • Foster a culture of cybersecurity, where you encourage and invest in employee training so that security is an integral part of your organization.

TACTICAL RECOMMENDATION

  • Update all applications/software regularly with the latest versions and security patches alike.
  • Add the Sigma rules for threat detection and monitoring which will help to detect anomalies in log events, identify and monitor suspicious activities.
  • Build and undertake safeguarding measures by monitoring/ blocking the IOCs and strengthening defence based on the tactical intelligence provided.

Trending Malware of the Week

Type: Remote Access Trojan (RAT)
Objective: Espionage, Data theft, Remote Access
Target Technologies: Windows OS, Browsers
Target Geography: Italy, Spain & Brazil

Active Malware of the Week
This week “SambaSpy” is trending.

SambaSpy
Researchers identified SambaSpy as a sophisticated Remote Access Trojan (RAT) that has gained attention for its targeted approach, primarily focusing on victims in Italy while also extending its reach to Spain and Brazil. This malware employs advanced techniques, blending malicious activities with legitimate-looking communications to evade detection effectively. SambaSpy exhibits a wide range of functionalities, including keystroke logging, credential theft from major browsers, and remote-control capabilities. As cybercriminals continue to refine their tactics, SambaSpy exemplifies the growing trend of region-specific cyber threats, raising significant concerns for organizations regarding the necessity for tailored cybersecurity strategies in response to this evolving landscape.

Features of SambaSpy
SambaSpy enhances its effectiveness as a Remote Access Trojan through a diverse set of functionalities designed for malicious intent. These features include:

  • File system management
  • Process management
  • Uploading/downloading files
  • Webcam control
  • Logging keystrokes and controlling the clipboard
  • Grabbing screenshots
  • Remote desktop management
  • Password stealing
  • Loading additional plugins at runtime
  • Starting a remote shell
  • Interacting with the victim

Attack Strategy
Researchers discovered two slightly different infection chains associated with the malware, revealing distinct pathways through which it compromises targeted systems. This finding highlights the adaptability of the cyber threat and underscores the importance of understanding varied attack vectors in order to enhance cybersecurity measures.

Fig: SambaSpy infection chain 1

Fig: SambaSpy infection chain 2

In the second case, which features a more elaborate infection chain. First, the victim receives an email from a German address. However, the email is written in Italian and is designed to appear as though it comes from a legitimate Italian real estate company, aiming to deceive the recipient.

The email prompts the recipient to view an invoice by clicking on an embedded link, which redirects them to a malicious website. This site, according to researchers’ analysis and other sources, leads to FattureInCloud, a legitimate Italian cloud solution for managing digital invoices and quotes, where a valid invoice is displayed. While researchers couldn’t directly access this file, located a similar invoice on the urlscan.io website, as illustrated in the figure below.

All the distribution campaigns appear to center around the legitimate invoice, with researchers noting a variety of malicious emails that exploit the brand of the company behind the invoice in their sender details, subjects, and content. Although being redirected to a legitimate resource initially seemed like a dead end, further analysis revealed that some users were redirected to a malicious web server hosted on ngrok. This server served an HTML page containing JavaScript code with comments in Brazilian Portuguese, which redirected users to a malicious OneDrive URL only if they were using Edge, Firefox, or Chrome with their language set to Italian. If users did not meet these criteria, they remained on the page. Users who meet the targeting criteria are directed to a PDF document hosted on Microsoft OneDrive, enticing them to click a hyperlink labeled “VISUALIZZA DOCUMENTO,” meaning “view document.” This link ultimately redirects to a malicious JAR file hosted on MediaFire, which functions as either a dropper or a downloader.

The downloader
The downloader performs checks to determine whether it is running in a virtual machine and verifies that the environment is set to Italian. If these conditions are not met, it exits. If all checks are passed, the downloader proceeds to download and execute the final payload.

The dropper
The dropper operates similarly to the downloader, but instead of downloading the malware, it contains the malicious payload embedded within the resources of the JAR file.

Loading plugins
The plugin loading mechanism is straightforward: a class is provided to the RAT and loaded using URLClassLoader to access a file previously downloaded to the disk. It then invokes the addURL() method within the loaded class.

Keylogging and Browser Credential Theft
SambaSpy employs the JNativeHook library to log every keystroke from the victim, sending each event to the command and control (C2) server upon key release. Additionally, it utilizes Java Abstract Window native libraries to steal or modify the victim’s clipboard content. The RAT is capable of stealing credentials from major browsers, including Chrome, Edge, Opera, Brave, Iridium, and Vivaldi.

Remote desktop control
SambaSpy features a custom remote-control system that utilizes the Java Abstract Window Library’s Robot class to manipulate the mouse and keyboard on the victim’s system. It also employs the GraphicsDevice class to enable screen display control for the attacker.

INSIGHTS

  • SambaSpy showcases how cybercriminals are becoming increasingly precise in their targeting, focusing on a single country, like Italy, rather than adopting a global approach. This strategy suggests that attackers are investing more in understanding regional contexts and designing malware that blends into local norms, making detection harder. Such a shift also signals that attackers could be leveraging deeper insights into specific vulnerabilities within a country’s infrastructure or user behavior, aiming to increase their success rates by focusing on unsuspecting users who are more likely to trust familiar-looking communications.
  • Another key takeaway from SambaSpy’s campaign is its integration of both legitimate services and sophisticated techniques, which makes the attack seem authentic to the target. By directing users to legitimate sites like FattureInCloud and using popular brands in phishing emails, the attackers are capitalizing on trust. This approach could lead to more successful infections, as victims are less likely to question familiar or trusted sources. It also suggests that future threats may increasingly blend legitimate platforms with malicious intent, making it difficult for traditional security measures to flag these campaigns.
  • Finally, the technical versatility of SambaSpy—capable of keystroke logging, credential theft, and remote control of devices—demonstrates the growing power of modern RATs. The inclusion of plugin-loading mechanisms and obfuscation techniques shows that malware is becoming modular and adaptable, allowing attackers to adjust tactics based on their victims’ systems. The level of customization in SambaSpy highlights a broader trend where malware is evolving not just to evade detection but also to continuously expand its capabilities, which could lead to more dynamic and dangerous threats in the future.
  • While researchers have yet to link this campaign to a known threat actor, there are strong indications that the attackers behind SambaSpy may speak Brazilian Portuguese, based on the language used in code comments and error messages. Interestingly, while the campaign primarily targets Italy, the attacker has extended their reach to Spain and Brazil, signaling a broader focus. In these regions, the infection chains don’t involve the same language-based checks seen in the Italian campaign, suggesting that the threat actor may adjust their tactics based on the region, highlighting their adaptability and the potential for future expansion into other markets.

ETLM ASSESSMENT
From the ETLM perspective, CYFIRMA anticipates that SambaSpy’s impact on organizations could become increasingly significant as cybercriminals continue refining region-specific, stealthy attacks. As these targeted campaigns grow, organizations might face higher risks from phishing schemes that appear more legitimate, making it harder for employees to recognize threats. This could lead to increased incidents of credential theft, data breaches, and system compromises. Looking ahead, the malware’s ability to blend into legitimate platforms signals a future where attackers exploit trusted services more frequently, making traditional detection methods less effective. Organizations will need to adopt more proactive security measures that focus on behavioral analysis and regional threat intelligence to mitigate these evolving risks. Finally, as malware like SambaSpy becomes more modular and adaptable, organizations may struggle to keep up with its rapid evolution. Future attacks could see malware capable of dynamically changing its tactics, bypassing security updates, and continuing to compromise systems undetected.

IOCs:
Kindly refer to the IOCs Section to exercise controls on your security systems.

STRATEGIC RECOMMENDATION

  • Maintain an up-to-date inventory of all active software used within the organization and perform regular self-audit of workstations, servers, laptops, mobile devices to identify unauthorized/ restricted software.
  • Configure organization’s intrusion detection systems (IDS), intrusion prevention systems (IPS), or any network defence mechanisms in place to alert on — and upon review, consider blocking connection attempts to and from — the external IP addresses and domains listed in the appendix.

MANAGEMENT RECOMMENDATION

  • Regularly reinforce awareness related to different cyberattacks using impersonated domains/spoofed webpages with end-users across the environment and emphasize the human weakness in mandatory information security training sessions.
  • Provide your staff with basic cybersecurity hygiene training since many targeted attacks start with phishing or other social engineering techniques.
  • Move beyond the traditional model of security awareness towards Improved Simulation and training exercises that mimic real attack scenarios, account for behaviors that lead to a compromise, and are measured against real attacks the organization receives.

TACTICAL RECOMMENDATION

  • Build and undertake safeguarding measures by monitoring/ blocking the IOCs and strengthening defence based on the tactical intelligence provided.
  • Exert caution when opening email attachments or clicking on embedded links supplied via email communications. 
  • For better protection coverage against email attacks (like spear phishing, business email compromise, or credential phishing attacks), organizations should augment built-in email security with layers that take a materially different approach to threat detection.

Weekly Intelligence Trends/Advisory

1. Weekly Attack Type and Trends

Key Intelligence Signals:

  • Attack Type: Malware Implant, Ransomware Attacks, Vulnerabilities & Exploits, Data Leaks.
  • Objective: Unauthorized Access, Data Theft, Data Encryption, Financial Gains, Espionage.
  • Business Impact: Data Loss, Financial Loss, Reputational Damage, Loss of Intellectual Property, Operational Disruption.
  • Ransomware –RansomHub Ransomware, Hunters International Ransomware | Malware – SambaSpy
  • RansomHub Ransomware – One of the ransomware groups.
  • Hunters International Ransomware – One of the ransomware groups.
  • Please refer to the trending malware advisory for details on the following:
  • Malware – SambaSpy
  • Behaviour –Most of these malwares use phishing and social engineering techniques as their initial attack vectors. Apart from these techniques, exploitation of vulnerabilities, defense evasion, and persistence tactics are being observed.

2. Threat Actor in Focus

UNC1860 and the Temple of Oats: Unveiling Iran’s Covert Influence in Middle Eastern Cyber Operations

  • Threat actor: UNC1860
  • Initial Attack Vector: Malware Implant
  • Objective: Espionage
  • Target Technology: Windows and VPN servers
  • Target Geographies: Middle East
  • Target industries: Telecommunications and government sectors
  • Business impact: Operational Downtime, The potential destruction of sensitive information, and Data Theft

Summary:
UNC1860 is a persistent Iranian state-sponsored cyber threat actor linked to Iran’s Ministry of Intelligence and Security (MOIS), characterized by its sophisticated tooling and passive backdoors that enable initial access and persistent infiltration of high-priority networks, particularly in the Middle East’s government and telecommunications sectors. Their operational parallels with other Iranian groups, such as Shrouded Snooper and APT34, suggest a collaborative approach to cyber operations, including providing initial access for destructive attacks. Notably, UNC1860 employs advanced techniques, such as a repurposed Windows kernel driver from legitimate software, to evade detection and maintain long-term access. Their arsenal includes GUI-operated malware controllers like TEMPLEPLAY and VIROGREEN, which facilitate remote access and control for third-party actors. The group’s use of web shells and passive implants, including STAYSHANTE and SASHEYAWAY, further supports stealthy operations, allowing for command execution without traditional C2 infrastructure. UNC1860 demonstrates a high level of sophistication in its coding practices, employing custom implementations of encryption and encoding to evade detection and maintain compatibility. Overall, UNC1860 is a formidable threat actor capable of adapting its strategies to meet evolving geopolitical objectives, posing significant risks to targeted networks in the region.

Relevancy & Insights:
UNC1860 has a history of targeting government and telecommunications sectors in the Middle East, often collaborating with other Iranian threat groups like APT34 to conduct disruptive operations. Previous attacks include the deployment of BABYWIPER against Israeli entities and ROADSWEEP in Albania, indicating a strategic motive of espionage and disruption rather than financial gains. The current incident shows similarities in tactics, techniques, and procedures (TTPs), with UNC1860 using custom malware like TEMPLEPLAY and VIROGREEN to establish initial access and maintain persistent footholds in targeted networks. This suggests a continued focus on high-value targets, such as governmental organizations and critical infrastructure, to support Iran’s geopolitical objectives. Entities in the Middle East, particularly those in the government and telecommunications sectors, need to be vigilant as they are at high risk. CYFIRMA assesses that UNC1860’s activities are likely aimed at gathering sensitive information and potentially enabling further disruptive operations, reflecting a persistent and evolving threat that aligns with Iran’s broader strategic goals in the region.

ETLM Assessment:
UNC1860 is a sophisticated Iranian state-sponsored threat actor, likely affiliated with Iran’s Ministry of Intelligence and Security (MOIS), known for its role as an initial access provider supporting espionage and disruptive operations. The group primarily targets government and telecommunications sectors across the Middle East, focusing on countries like Israel, Saudi Arabia, Qatar, and Iraq, and has also been linked to operations in Albania. UNC1860 exploits vulnerable technologies, particularly Microsoft SharePoint (CVE-2019-0604) and VPN servers, deploying advanced malware such as TEMPLEPLAY, VIROGREEN, and passive implants like TOFUDRV and TEMPLEDROP, which evade detection through sophisticated methods. The group collaborates with other MOIS-linked actors, like APT34, and has been involved in significant attacks, including those using BABYWIPER and ROADSWEEP. Given its adeptness in maintaining persistent access and its evolving toolkit, UNC1860 is expected to continue being a major threat in the region, capable of adapting its operations to support various strategic objectives ranging from espionage to network disruption. As tensions in the Middle East persist, UNC1860’s activities are likely to remain aligned with Iran’s geopolitical goals, posing a significant risk to regional stability.

Recommendations:

  • Patch Management: Ensure that all systems, especially internet-facing servers, are updated with the latest security patches. Pay special attention to vulnerabilities frequently targeted by UNC1860, such as CVE-2019-0604 in Microsoft SharePoint and any VPN-related vulnerabilities.
  • Implement Zero Trust Architecture: Adopt a zero-trust approach to limit lateral movement within the network. This includes strict access controls, network segmentation, and continuous verification of users and devices.
  • Improve Incident Response Plans: Organizations should have an updated and well-rehearsed incident response plan to quickly identify, contain, and mitigate breaches. This includes establishing clear communication channels and protocols for escalation.
  • Conduct Threat Hunting and Forensic Analysis: Regularly perform threat-hunting activities to identify signs of compromise or unusual behavior indicative of UNC1860’s tactics, techniques, and procedures (TTPs). Forensic analysis should focus on detecting malware like TEMPLEPLAY, VIROGREEN, and other passive implants.
  • Employee Training and Awareness: Enhance cybersecurity awareness and training programs for employees, especially on phishing and social engineering tactics, which may be used to gain initial access. Employees should know how to recognize and report suspicious activities.
  • Monitor for Emerging Threats: Keep track of geopolitical developments in the Middle East, as they may influence the activities of state-sponsored groups like UNC1860. Adapt security measures proactively based on potential changes in threat actor motivations and targets.
  • Deploy Deception Technologies: Implement honeypots and deception technologies to detect adversarial movement within the network, disrupt reconnaissance efforts, and gain insights into attacker methodologies.

These recommendations aim to reduce the risk posed by UNC1860 and enhance organizational resilience against similar advanced persistent threats (APTs).

MITRE ATT&CK Tactics and Techniques
Tactics ID Technique
Initial access T1190 Exploit Public-Facing Application
Execution T1059.003 Command and Scripting Interpreter: Windows Command Shell
Execution T1129 Shared Modules
Privilege escalation T1068 Exploitation for Privilege Escalation
Persistence T1574.002  Hijack Execution Flow: DLL Side-Loading
Persistence T1547.006 Boot or Logon Auto start Execution: Kernel Modules and Extensions
Persistence T1505.003 Server Software Component: Web Shell
Defense evasion T1036.005 Masquerading: Match Legitimate Name or Location
Defense evasion T1027.005 Obfuscated Files or Information: Indicator Removal from Tools
Defense evasion T1218.011 System Binary Proxy Execution: Rundll32
Defense evasion T1218.002 System Binary Proxy Execution: Control Panel
Defense evasion T1574.002 Hijack Execution Flow: DLL Side-Loading
Discovery T1018 Remote System Discovery
Discovery T1135 Network Share Discovery
Discovery T1046 Network Service Discovery
Discovery T1082 System Information Discovery
Discovery T1497 Virtualization/Sandbox Evasion
Lateral Movement T1021.001 Remote Services: Remote Desktop Protocol
Lateral Movement T1210 Exploitation of Remote Services
Collection T1005 Data from Local System
Command and Control T1071.001 Application Layer Protocol: Web Protocols
Command and Control T1095 Non-Application Layer Protocol
Command and Control T1573 Encrypted Channel
Command and Control T1090 Proxy
Impact T1485 Data Destruction

IOCs:
Kindly refer to the IOCs (Indicators of Compromise) Section to exercise controls on your security systems.

3. Major Geopolitical Developments in Cybersecurity

US government disrupts Chinese botnet
The U.S. Department of Justice has revealed a court-sanctioned law enforcement operation that successfully dismantled a botnet network comprising over 200,000 consumer devices, such as routers, IP cameras, DVRs, and network-attached storage units. The Justice Department stated that the devices were compromised by hackers sponsored by the Chinese government, specifically working for Integrity Technology Group, a Beijing-based company also referred to in the private sector as Flax Typhoon. Researchers have identified the botnet, named “Raptor Train,” as having been used to target critical infrastructure in both the U.S. and Taiwan.

ETLM Assessment:
The court-authorized operation took control of the hackers’ computer infrastructure and, among other steps, sent disabling commands through that infrastructure to the malware on the infected devices. During the course of the operation, there was an attempt to interfere with the FBI’s remediation efforts through a distributed denial-of-service (DDoS) attack targeting the operational infrastructure that the FBI was utilizing to effectuate the court’s orders. The attack was ultimately unsuccessful in preventing the FBI’s disruption of the botnet. The case signifies another case of active defense on behalf of the U.S. government in tackling the issue of Chinese cyber-statecraft – China is the number one state sponsor of cyberattacks in the world.

Telegram‘s use banned in Ukraine for government and military use
Ukraine’s National Security and Defense Council (NSDC) has prohibited the use of the Telegram app on official devices used by government officials, military personnel, and employees at critical infrastructure sites. The NSDC pointed to national security risks, stating it has “credible information” that Russian intelligence could exploit the app to distribute malware and collect data to aid in missile strikes. Researchers note that Telegram remains the main platform for news sharing among most Ukrainians. The ban does not apply to personal devices or those who use the app for their official responsibilities.

ETLM Assessment:
The information of Telegram being compromised by the Russian intelligence agencies arrives on the back of the company’s founder Pavel Durov being arrested in France earlier in August. French prosecutors said they detained the Russian-born billionaire, who is now a French-Emirati citizen, as part of an investigation opened in July into the messaging app’s moderation of alleged criminal activity on the platform.

Founded in 2013, Telegram has rapidly gained popularity, approaching 1 billion users and becoming a key communication tool in conflict zones and humanitarian crises, such as the Russia-Ukraine war and the Israel-Hamas conflict.

Durov has adopted a largely hands-off approach to moderation, presenting the app as immune to government influence. However, some researchers have cautioned that this has led to Telegram becoming a hotspot for illicit activities and extremism. Known as the “Mark Zuckerberg of Russia” for co-founding the popular social media platform VKontakte, Durov left Russia in 2014 after reportedly refusing to comply with Moscow’s requests for access to data from Ukrainian users protesting against a pro-Russia government. In recent years, Durov has sought to distance himself and the app from Russia, however, many analysts point out the fact his private jet has been repeatedly returning to Russia anytime his business was in trouble and intelligence agencies are thus expecting his platform to be compromised by the Russian state and it is not only possible but also likely that Kremlin may still have ties to or influence over Telegram. This makes the app unsafe for official use and the Ukrainian move is expected to be followed by further governments in the future.

US to propose ban on auto technology from China and Russia
The U.S. Commerce Department is set to propose a ban on certain software and hardware from Chinese and Russian sources for connected vehicles. In a statement, the department cautioned that, in extreme circumstances, a foreign adversary could simultaneously disable or seize control of all vehicles operating in the United States, potentially leading to crashes or obstructed roadways. The Secretary of Commerce also highlighted the risk that China or Russia could exploit backdoor software to gather detailed location information on Americans. Reports indicate that this ban will not impact vehicles that have already been manufactured; instead, the software ban will apply to vehicles from the 2027 model year, while the hardware ban will take effect for the 2030 model year. Russia exports hardly any cars to the U.S., however, China is making moves to become the global leader in the EV industry, a goal that is well underway.

ETLM Assessment:
This year, the Five Eyes security officials warned against hacking campaigns by Volt Typhoon, a Chinese state-sponsored outfit. Beijing’s hackers were trying to position themselves in a way that could try to paralyze U.S. critical infrastructure in case of an eruption of conflict between the two countries over the issue of Taiwanese or Philippine waters. An attempt to induce societal panic in their adversary in case of conflict is an inherent part of Chinese military doctrine and targeting critical infrastructure on Guam could affect U.S. military operations in significant ways. The ban on Chinese EVs is a logical extension of the U.S.‘ fear of China deploying cyber time bombs in case of conflict.

4. Rise in Malware/Ransomware and Phishing

The RansomHub Ransomware impacts the Vinati Organics

  • Attack Type: Ransomware
  • Target Industry: Chemical Manufacturing
  • Target Geography: India
  • Ransomware: RansomHub Ransomware
  • Objective: Data Theft, Data Encryption, Financial Gains
  • Business Impact: Financial Loss, Data Loss, Reputational Damage

Summary:
From the External Threat Landscape Management (ETLM) Perspective, CYFIRMA observed in an underground forum that a company from India; Vinati Organics (www[.]vinatiorganics[.]com), was compromised by the RansomHub Ransomware. Vinati Organics is a leading global producer of specialty chemicals and organic intermediaries, headquartered in India. The company specializes in manufacturing high-quality products like Iso Butyl Benzene (IBB), 2-Acrylamido-2-methylpropane sulfonic acid (ATBS), Iso Butylene(IB), and High Purity-Methyl Tertiary Butyl Ether( HPMTBE), which serve diverse industries, such as pharmaceuticals, agrochemicals, and water treatment across the US, Europe and Asia. The data, which has been breached, has not yet appeared on the leak site, indicating that negotiations between the affected party and the ransomware group may be underway. The compromised data includes confidential and sensitive information belonging to the organization. The total size of the compromised data is approximately 233 GB.

The following screenshot was observed published on the dark web:

Source: Dark Web

Relevancy & Insights:

  • We recently noticed that the RansomHub ransomware group is using a new type of malware called EDRKillShifter to turn off the security software known as Endpoint Detection and Response (EDR). This is done through a method called Bring Your Own Vulnerable Driver (BYOVD), where attackers use a legitimate but flawed driver to gain higher access and disable security measures. In a May 2024 attack, EDRKillShifter tried to shut down protections but was stopped by existing safeguards. The malware is versatile and can deliver different types of driver payloads based on the attackers’ needs. Its code indicates it was created on a computer, set in the Russian language. This method, which uses test exploits to prove vulnerabilities, is becoming an increasing threat to organizational cybersecurity. We also observed that the RansomHub group has been using a legitimate tool called TDSSKiller to disable EDR services on targeted systems. Once the defenses were down, they deployed a tool called LaZagne to steal login information from various application databases, helping them move deeper into the network.
  • RansomHub, a ransomware-as-a-service (RaaS) platform, has quickly emerged as one of the largest and most dangerous ransomware groups in 2024. As of August 2024, the RansomHub Ransomware group has reportedly targeted at least 210 victims across various critical sectors.
  • In recent RansomHub ransomware attacks, attackers gained initial access by exploiting the Zerologon vulnerability. This critical flaw allows attackers to escalate privileges to the domain administrator, giving them control over the entire domain.
  • RansomHub was also observed targeting VMware ESXi environments, using a newly developed Linux encryptor. This encryptor is capable of shutting down virtual machines and removing snapshots before encryption. It employs advanced encryption methods, such as ChaCha20 and Curve25519, to secure the compromised data.
  • The RansomHub Ransomware group primarily targets countries like the United States of America, the United Kingdom, Brazil, Australia, and Italy.
  • The RansomHub Ransomware group primarily targets industries, such as Specialized Consumer Services, Heavy Construction, Software, Business Support Services, and Retail.
  • Based on the RansomHub Ransomware victims list from 1st Jan 2024 to 25 September 2024, the top 5 Target Countries are as follows:
  • The Top 10 Industries, most affected by RansomHub Ransomware from 1st Jan 2024 to 25 September 2024 are as follows:

ETLM Assessment:
Based on recent assessments by CYFIRMA, RansomHub ransomware is expected to intensify its operations across various industries worldwide, with a notable focus on regions in the United States, Europe, and Asia. This prediction is reinforced by the recent attack on Vinati Organics, a prominent Manufacturing company from India, highlighting RansomHub’s significant threat presence in the South Asian region.

The Hunters International Ransomware Impacts the Bank Rakyat

  • Attack Type: Ransomware
  • Target Industry: Finance
  • Target Geography: Malaysia
  • Ransomware: Hunters International Ransomware
  • Objective: Data Theft, Data Encryption, Financial Gains
  • Business Impact: Financial Loss, Data Loss, Reputational Damage

Summary:
From the External Threat Landscape Management (ETLM) Perspective, CYFIRMA observed in an underground forum that a company from Malaysia; Bank Rakyat (www[.]bankrakyat[.]com[.]my), was compromised by Hunters International Ransomware. Bank Rakyat is Malaysia’s largest Islamic cooperative bank. The bank primarily offers Islamic banking services, focusing on Shariah-compliant financial products, such as personal and home financing, credit and debit cards, and wealth management solutions. Bank Rakyat also offers specialized products like education financing, microfinancing, and various types of insurance (Takaful) plans. The compromised data encompasses a trove of sensitive and confidential records, originating from the organizational database. The scale of the data exposure measures approximately 463.2 GB, comprising a total of 1,44,015 discrete files.

The following screenshot was observed published on the dark web:

Source: Dark Web

Relevancy & Insights:

  • We recently observed a new Remote Access Trojan (RAT) named SharpRhino, linked to the ThunderShell malware family and deployed by the ransomware group Hunters International. Delivered through a typosquatting domain mimicking Angry IP Scanner, SharpRhino establishes persistence and remote access by using sophisticated techniques for high-level device permissions. The malware employs a Nullsoft Scriptable Installer System (NSIS) to drop a password-protected archive containing further payloads, including a PowerShell script that compiles and executes C# code. This code, obfuscated and encrypted, communicates with a Command-and-Control (C2) server, executing commands, such as launching applications on the victim’s system. The analysis revealed SharpRhino’s complex infection chain and its capacity to facilitate sophisticated ransomware attacks.
  • Hunters International Ransomware Group has announced a new 5.0.0 version of their Encryption/Decryption Software. Allegedly, this version is smoother, faster, and enables a more reliable decryption/encryption process.
  • Hunters International is a Ransomware that targets Windows and Linux environments which add .LOCKED extension to the encrypted files on the victim machine, once the data exfiltration gets completed by the Ransomware group.
  • The Hunters International Ransomware group primarily targets countries, such as the United States of America, Italy, Spain, the United Kingdom, and South Korea.
  • The Hunters International Ransomware group primarily targets industries, including Heavy Construction, Government Agencies, Telecommunications, Business Support Services, and Health Care Providers.
  • Based on the Hunters International Ransomware victims list from 1st Jan 2024 to 25 September 2024, the top 5 Target Countries are as follows:
  • The Top 10 Industries, most affected by Hunters International Ransomware from 1st Jan 2024 to 25 September 2024 are as follows:

ETLM Assessment:
According to CYFIRMA’s assessment, the Hunters International ransomware group is expected to continue targeting a wide range of industries globally, with a particular focus on the United States, Europe, and Asia. A recent attack on Bank Rakyat, a leading Finance company in Malaysia, highlights the significant threat this ransomware poses in the Southeast Asia region. This incident highlights the growing risk to critical industries in the area and the importance of strengthening cybersecurity defenses against such sophisticated threats.

5. Vulnerabilities and Exploits

Vulnerability in XenSource Xen

  • Attack Type: Vulnerabilities & Exploits
  • Target Technology: Server application
  • Vulnerability: CVE-2024-45817 (CVSS Base Score 6.2)
  • Vulnerability Type: Deadlock

Summary:
The vulnerability allows a local user to perform a denial of service attack (DoS) on the target system.

Relevancy & Insights:
The vulnerability exists due to a deadlock within the vlapic_error() function.

Impact:
A buggy or malicious HVM or PVH guest can deadlock Xen and perform a denial-of-service attack.

Affected Products: https[:]//xenbits[.]xen[.]org/xsa/advisory-462.html

Recommendations:
Monitoring and Detection: Implement monitoring and detection mechanisms to identify unusual system behavior that might indicate an attempted exploitation of this vulnerability.

TOP 5 AFFECTED PRODUCTS OF THE WEEK
This week, CYFIRMA researchers have observed significant impacts on various technologies, due to a range of vulnerabilities. The following are the top 5 most affected technologies.

ETLM Assessment:
Vulnerability in Xen can pose significant threats to user privacy and security. This can impact various industries globally, including technology, finance, healthcare, and beyond. Ensuring the security of Xen is crucial for maintaining the integrity and protection of users’ data worldwide. Therefore, addressing these vulnerabilities is essential to safeguarding virtualization activities that allow multiple operating systems to execute on the same hardware concurrently, across different geographic regions and sectors.

6. Latest Cyber-Attacks, Incidents, and Breaches

ValenciaLeaks Ransomware attacked and Published the data of the Duopharma Biotech

  • Threat Actors: ValenciaLeaks Ransomware
  • Attack Type: Ransomware
  • Objective: Data Leak, Financial Gains
  • Target Technology: Web Applications
  • Target Industry: Manufacturing, Health Care
  • Target Geography: Malaysia
  • Business Impact: Operational Disruption, Data Loss, Financial Loss, Potential Reputational Damage

Summary:
Recently, we observed that the ValenciaLeaks Ransomware attacked and published data of Duopharma Biotech Berhad (www[.]duopharmabiotech[.]com) on its dark web website. Duopharma Biotech Berhad is a Malaysian-based investment holding company. The principal activities of its subsidiary are to carry out business as a manufacturer, distributor, importer, and exporter of pharmaceutical products and medicines. Duopharma exports to countries such as Vietnam, Ethiopia, Sudan, Southeast Asia, Papua New Guinea, Pakistan, Bangladesh, Sri Lanka, the Republic of Yemen, Singapore, and Hong Kong. Its range of products includes tablets, capsules, syrup, antibiotics, creams, haemodialysis solutions, sterile irrigation solutions, sterile powder injectables, small-volume injectables, dental cartridges, and eye drop preparations. The data leak, following the ransomware attack, encompasses sensitive and confidential information related to the organization. The total size of the data breached is approximately 25.7 GB.

Source: Dark Web

Relevancy & Insights:

  • ValenciaLeaks ransomware was first identified in August 2024 and has quickly gained notoriety for its aggressive tactics and significant impact on various sectors.
  • The ValenciaLeaks ransomware targets a wide range of industries, including healthcare, finance, and manufacturing, exploiting vulnerabilities to gain access to sensitive data.

ETLM Assessment:
ValenciaLeaks ransomware represents a growing threat in the cybersecurity landscape, utilizing sophisticated tactics and double-extortion strategies to maximize impact on organizations. Vigilance and proactive security measures are essential for mitigating the risks associated with this evolving threat.

7. Data Leaks

Indonesian Officials’ Data Advertised on a Leak Site

  • Attack Type: Data Leak
  • Target Industry: Government
  • Target Geography: Indonesia
  • Objective: Data Theft, Financial Gains
  • Business Impact: Data Loss, Reputational Damage

Summary:
A threat actor has claimed responsibility for leaking the personal information of high-ranking Indonesian officials, including the president and his family, on a dark web forum. The alleged data breach, which reportedly occurred in September 2024, exposed detailed personal information about the Ministry of Finance staff, and other cabinet members as well.

According to the threat actor’s post, the compromised data spans approximately 6.6 million records, which have been compressed into a 500 MB file. Once uncompressed, the data size increases to 2 GB and is available in CSV format. The stolen data allegedly includes sensitive information, such as names, national identification numbers, tax registration numbers, residential addresses, email addresses, phone numbers, dates of birth, tax office names, regional tax office details, tax status, and more.

The cybercriminal is reportedly selling the database for $10,000 via a private CDN, stating that the dataset includes highly classified information about the officials, which could have serious implications for the country’s government.

Source: Underground Forums

Chunghwa Telecom Data Advertised on a Leak Site

  • Attack Type: Data Leak
  • Target Geography: Taiwan
  • Target Industry:Telecommunication
  • Objective: Data Theft, Financial Gains
  • Business Impact: Data Loss, Reputational Damage

Summary:
A threat actor on a dark web forum has claimed to possess over 600GB of sensitive data, allegedly stolen from Chunghwa Telecom, Taiwan’s largest telecommunications company. The post asserts that the data contains classified documents, including sensitive information and military documents.

The threat actor emphasized that escrow services would be accepted for the transaction. However, they made it clear that they would only entertain serious offers and would ignore any low bids.

The threat actor has indicated that the listing will remain active until the sale is finalized, at which point the post will be deleted. Prospective buyers are encouraged to contact the threat actor via the forum, with payment being accepted in cryptocurrency, including Bitcoin (BTC) and Monero (XMR), ensuring anonymity for both parties. The data breach has been attributed to a threat actor identified as “303”.

Source: Underground Forums

Relevancy & Insights:
Financially motivated cybercriminals are continuously scouring for exposed and vulnerable systems and applications to exploit. A significant number of these malicious actors congregate within underground forums, where they discuss cybercrime and trade stolen digital assets. Operating discreetly, these opportunistic attackers target unpatched systems or vulnerabilities in applications to illicitly gain access and steal valuable data. Subsequently, the pilfered data is advertised for sale within underground markets, where it can be acquired, repurposed, and utilized by other malicious actors in further illicit activities.

ETLM Assessment:
Threat Actor “303” is driven primarily by financial motives, frequently targeting a broad spectrum of industries, such as healthcare, finance, manufacturing, and critical infrastructure. This actor poses a significant risk in the cybersecurity landscape, employing advanced techniques to facilitate data breaches and achieve financial gains through the exploitation of sensitive information. To defend against this evolving threat, organizations must maintain heightened awareness and adopt proactive cybersecurity measures.

Recommendations: Enhance the cybersecurity posture by

  • Updating all software products to their latest versions is essential to mitigate the risk of vulnerabilities being exploited.
  • Ensure proper database configuration to mitigate the risk of database-related attacks.
  • Establish robust password management policies, incorporating multi-factor authentication and role-based access, to fortify credential security and prevent unauthorized access.

8. Other Observations

Oracle Corporation, a leading multinational computer technology company, has allegedly suffered a data breach impacting the personal details of its employees.
According to the post, the breach exposed sensitive employee details from a third-party source, affecting 4,002 records.

The compromised information includes employees’ first and last names, job titles, company names, email addresses, and their locations, spanning personal and corporate addresses from various cities, states, and countries. The breach also revealed the timestamps for when the emails were created and last verified. The data breach has been attributed to a threat actor identified as “888”.

Source: Underground forums

A threat actor claims to be offering access to the Neom Project and MiSK Foundation in Saudi Arabia. The access allegedly includes VPN and database privileges, both admin and user-level, to systems related to two of Saudi Arabia’s most significant initiatives.

According to the actor, the Neom Project, a futuristic mega-city initiative, and the MiSK Foundation, focused on youth empowerment, education, and technology investments, are both targets. These entities collectively represent industries, ranging from education and entrepreneurship to research, energy, and sustainable living. The revenue for these organizations is claimed to range between $500 billion and $1 trillion, reflecting their high economic importance.

Source: Underground forums

ETLM Assessment:
The “888” threat actor group has become active in underground forums and has emerged as a formidable force in cybercrime mainly for financial gains. The threat actor has already targeted Government, Industrial Conglomerates, Retail, Staffing, Business consulting, Banks, E-Commerce, Electric & Utilities industries, indicating its intention to expand its attack surface in the future to other industries globally.

STRATEGIC RECOMMENDATION

  • Attack Surface Management should be adopted by organizations, ensuring that a continuous closed-loop process is created between attack surface monitoring and security testing.
  • Deploy a unified threat management strategy – including malware detection, deep learning neural networks, and anti-exploit technology – combined with vulnerability and risk mitigation processes.
  • Incorporate Digital Risk Protection (DRP) in the overall security posture that acts as a proactive defence against external threats targeting unsuspecting customers.
  • Implement a holistic security strategy that includes controls for attack surface reduction, effective patch management, active network monitoring, through next generation security solutions and ready to go incident response plan.
  • Create risk-based vulnerability management with deep knowledge about each asset. Assign a triaged risk score based on the type of vulnerability and criticality of the asset to help ensure that the most severe and dangerous vulnerabilities are dealt with first.

MANAGEMENT RECOMMENDATION

  • Take advantage of global Cyber Intelligence providing valuable insights on threat actor activity, detection, and mitigation techniques.
  • Proactively monitor the effectiveness of risk-based information security strategy, the security controls applied and the proper implementation of security technologies, followed by corrective actions remediations, and lessons learned.
  • Move beyond the traditional model of security awareness towards improved simulation and training exercises that mimic real attack scenarios, account for behaviours that lead to a compromised and are measured against real attacks the organization receives.
  • Consider implementing Network Traffic Analysis (NTA) and Network Detection and Response (NDR) security systems to compensate for the shortcoming of EDR and SIEM solutions.
  • Detection processes are tested to ensure awareness of anomalous events. Timely communication of anomalies and continuously evolved to keep up with refined ransomware threats.

TACTICAL RECOMMENDATION

  • Patch software/applications as soon as updates are available. Where feasible, automated remediation should be deployed since vulnerabilities are one of the top attack vectors.
  • Build and undertake safeguarding measures by monitoring/ blocking the IOCs and strengthen defences based on tactical intelligence provided.
  • Deploy detection technologies that are behavioural anomaly-based to detect ransomware attacks and help to take appropriate measures.
  • Implement a combination of security control such as reCAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart), Device fingerprinting, IP backlisting, Rate-limiting, and Account lockout to thwart automated brute-force attacks.
  • Ensure email and web content filtering uses real-time blocklists, reputation services, and other similar mechanisms to avoid accepting content from known and potentially malicious sources.

Situational Awareness – Cyber News

Please find the Geography-Wise and Industry-Wise breakup of cyber news for the last 5 days as part of the situational awareness pillar.

Geography-Wise Graph

Industry-Wise Graph

For situational awareness intelligence and specific insights mapped to your organisation’s geography, industry, technology, please access DeCYFIR.