Self Assessment

Weekly Intelligence Report – 29 Nov 2024

Published On : 2024-11-28
Share :
Weekly Intelligence Report – 29 Nov 2024

Ransomware of the Week

CYFIRMA Research and Advisory Team would like to highlight ransomware trends and insights gathered while monitoring various forums. This includes multiple – industries, geography, and technology – which could be relevant to your organization.

Type: Ransomware
Target Technologies: MS Windows

Introduction
CYFIRMA Research and Advisory Team has found Heda Ransomware while monitoring various underground forums as part of our Threat Discovery Process.

Heda Ransomware
In early November 2024, researchers identified a new ransomware variant named Heda. This ransomware encrypts files on compromised systems, alters filenames, and modifies the desktop wallpaper. It also generates a ransom note in a text file titled “#HowToRecover.txt.” The ransomware renames files by appending the victim’s unique ID, an email address, and the “.Heda” extension to the original filenames.

Notably, Heda ransomware is identical to the previously known Sauron ransomware.

Screenshot of files encrypted by this ransomware (Source: SurfaceWeb)

Heda’s ransom note informs victims that their critical files have been both encrypted and stolen, claiming that recovery is only possible with the attackers’ proprietary decryption tool. The note assigns a unique identifier to the victim and directs them to contact the attackers via email or Telegram for file restoration instructions.

The attackers threaten to leak or sell sensitive data if the victim fails to pay the ransom and caution against using third-party tools, warning that such actions could cause irreversible damage. Additionally, the note provides links to platforms where victims can purchase Bitcoin to facilitate the ransom payment.

Screenshot of Heda’s text file (“#HowToRecover.txt”) (Source: Surface Web)

Screenshot of Heda’s desktop wallpaper:(Source: Surface Web)

Following are the TTPs based on the MITRE Attack Framework.

Tactic ID Technique
Execution T1047 Windows Management Instrumentation
Execution T1129 Shared Modules
Persistence T1574.002 Hijack Execution Flow: DLL Side-Loading
Privilege Escalation T1055 Process Injection
Privilege Escalation T1134 Access Token Manipulation
Privilege Escalation T1574.002 Hijack Execution Flow: DLL Side- Loading
Defense Evasion T1027.002 Obfuscated Files or Information : Software Packing
Defense Evasion T1027.005 Obfuscated Files or Information:
Indicator Removal from Tools
Defense Evasion T1036 Masquerading
Defense Evasion T1055 Process Injection
Defense Evasion T1134 Access Token Manipulation
Defense
Evasion
T1497 Virtualization /Sandbox Evasion
Defense Evasion T1562.001 Impair Defenses: Disable or Modify Tools
Defense
Evasion
T1564.001 Hide Artifacts: Hidden Files and Directories
Defense
Evasion
T1574.002 Hijack Execution Flow: DLL Side-Loading
Credential
Access
T1003 OS Credential Dumping
Discovery T1010 Application Window Discovery
Discovery T1012 Query Registry
Discovery T1016 System Network Configuration Discovery
Discovery T1049 System Network Connections Discovery
Discovery T1057 Process Discovery
Discovery T1082 System Information Discovery
Discovery T1083 File and Directory Discovery
Discovery T1135 Network Share Discovery
Discovery T1497 Virtualization/Sandbox Evasion
Discovery T1518.001 Software Discovery: Security Software Discovery
Discovery T1614 System Location Discovery
Collection T1005 Data from Local System
Command and
Control
T1071 Application Layer Protocol
Command and T1573 Encrypted Channel
Control    
Impact T1485 Data Destruction
Impact T1486 Data Encrypted for Impact
Impact T1490 Inhibit System Recovery
Impact T1529 System Shutdown/Reboot

Relevancy and Insights:

  • This ransomware specifically targets the widely used Windows Operating System, which is prevalent across numerous industries and organizations.
  • The ransomware’s attempt to delete Volume Shadow Copies (VSS) indicates a deliberate effort to hinder data recovery options for victims.
  • Developers use debugging environments to analyze and troubleshoot software. Ransomware uses this technique to determine whether it is operating in a debug environment, which aids it in avoiding analysis and detection attempts.
  • Ransomware utilizes extended sleep intervals to evade detection by security software, enabling it to operate stealthily and increasing the likelihood of completing file encryption before being identified.

ETLM Assessment:
According to the assessment from CYFIRMA, the ransom note associated with Heda ransomware indicates a primary focus on targeting enterprises to maximize financial returns. This suggests that ransomware is likely to become a serious threat to developed nations, with industries such as Manufacturing, Healthcare, Hospitality, and Finance expected to be key targets due to their substantial ransom payment capacities and heavy reliance on critical data. Furthermore, the ransomware warns that non-compliance could lead to the exposure or sale of sensitive corporate information.

Sigma Rule
title: Shadow Copies Deletion Using Operating Systems Utilities tags:
– attack.defense-evasion
– attack.impact
– attack.t1070
– attack.t1490 logsource:
category: process_creation product: windows
detection: selection1_img:
– Image|endswith:
– ‘\powershell.exe’
– ‘\pwsh.exe’
– ‘\wmic.exe’
– ‘\vssadmin.exe’
– ‘\diskshadow.exe’
– OriginalFileName:
– ‘PowerShell.EXE’
– ‘pwsh.dll’
– ‘wmic.exe’
– ‘VSSADMIN.EXE’
– ‘diskshadow.exe’ selection1_cli:
CommandLine|contains|all:
– ‘shadow’ # will match “delete shadows” and “shadowcopy delete” and “shadowstorage”
– ‘delete’ selection2_img:
– Image|endswith: ‘\wbadmin.exe’
– OriginalFileName: ‘WBADMIN.EXE’ selection2_cli:
CommandLine|contains|all:
– ‘delete’
– ‘catalog’
– ‘quiet’ # will match -quiet or /quiet selection3_img:
– Image|endswith: ‘\vssadmin.exe’
– OriginalFileName: ‘VSSADMIN.EXE’ selection3_cli:
CommandLine|contains|all:
– ‘resize’
– ‘shadowstorage’ CommandLine|contains:
– ‘unbounded’
– ‘/MaxSize=’
condition: (all of selection1*) or (all of selection2*) or (all of selection3*) fields:
– CommandLine
– ParentCommandLine falsepositives:
– Legitimate Administrator deletes Shadow Copies using operating systems utilities for legitimate reason
– LANDesk LDClient Ivanti-PSModule (PS EncodedCommand) level: high
(Source: Surface web)

Indicators of Compromise
Kindly refer to the IOCs section to exercise controls on your security systems.

STRATEGIC RECOMMENDATIONS

  • Implement competent security protocols and encryption, authentication, or access credentials configurations to access critical systems in your cloud and local environments.
  • Ensure that backups of critical systems are maintained which can be used to restore data in case a need arises.

MANAGEMENT RECOMMENDATIONS

  • A data breach prevention plan must be developed considering, (a) the type of data being managed by the company; (b) the remediation process; (c) where and how the data is stored; (d) if there is an obligation to notify the local authority.
  • Enable zero-trust architecture and multifactor authentication (MFA) to mitigate the compromise of credentials.
  • Foster a culture of cybersecurity, where you encourage and invest in employee training so that security is an integral part of your organization.

TACTICAL RECOMMENDATIONS

  • Update all applications/software regularly with the latest versions and security patches alike.
  • Add the Sigma rules for threat detection and monitoring which will help to detect anomalies in log events, identify and monitor suspicious activities.

Trending Malware of the Week

Type: Information stealer
Objective: Data theft, Data Exfiltration
Target Technologies: Windows OS, Facebook Ads Manager

Active Malware of the Week
This week “NodeStealer” is trending.

NodeStealer
Researchers have uncovered new NodeStealer samples targeting Facebook Ads Manager accounts, a tool used to manage advertising campaigns on platforms like Facebook and Instagram. Originally discovered in 2023 as a Python-based infostealer aimed at Facebook Business accounts, NodeStealer has spent over a year stealing login credentials, cookies, and saved browser data. These latest variants expand the malware’s capabilities by focusing on Ads Manager, pilfering budget details, credit card information, and additional credentials. Using advanced techniques such as Windows Restart Manager to unlock browser databases, junk code obfuscation, and batch script-driven dynamic execution, the malware demonstrates a sophisticated evolution. Researchers believe its ultimate goal is to exploit compromised accounts for creating malicious ads, posing a growing threat to digital advertising platforms.

Attack Strategy
Researchers have identified NodeStealer samples designed to extract detailed information from Facebook Ads Manager accounts. By using cookies stolen from a victim’s machine, the malware generates an access token to log into adsmanager.facebook.com. With this token, it retrieves business details linked to the account through the Facebook Graph API and stores the data in a file named “data.txt” in the TEMP folder. The malware then gathers additional account details from the Ad Accounts endpoint, appending this information to the same file, showcasing its methodical data theft approach.

Fig: Facebook Ads Manager account details targeted by the attacker.

Avoiding Detection in Vietnam
The attackers behind the NodeStealer campaign targeting Facebook Ads Manager accounts appear to be Vietnamese, as some of the malware’s strings are in Vietnamese. However, they intentionally avoid victims in Vietnam by checking the country code through ipinfo and exiting the script if the code is “VN.” This tactic is common among cybercriminals to evade legal risks and reduce attention from local law enforcement.

Evolving Techniques of NodeStealer Windows Restart Manager
Some Python NodeStealer variants use Windows Restart Manager to unlock locked database files, enabling the malware to steal sensitive information. Typically used to minimize reboots during software updates, Restart Manager is exploited here to bypass file locks. The malware copies browser database files to a temporary folder, uses Sqlite3 to query data, and relies on the Restart Manager DLL to identify and terminate processes locking the files. By leveraging legitimate tools like Restart Manager, attackers evade detection and enhance their data extraction capabilities.

Credit card information theft
Some NodeStealer variants have added the ability to steal credit card information by targeting the “Web Data” files of browsers. These files, stored as SQLite databases, contain sensitive autofill data and saved payment methods. By querying the stolen databases with Python’s SQLite3 library, the malware extracts credit card details, including the cardholder’s name, card number, and expiration date, significantly expanding its scope for financial theft.

Persistence through run registry keys
Some NodeStealer variants have adopted a new persistence technique using the Windows Run registry key. Previously, the malware relied on the startup folder for persistence, a method still seen in some samples. However, newer variants now use the current user’s Run key in the registry, leveraging PowerShell to execute the malicious Python script, making the persistence mechanism stealthier and more resilient.

Junk code
Some NodeStealer variants include large amounts of junk code, likely added to inflate the file size and evade detection by systems that prioritize smaller files. These variants feature tens of megabytes of junk code, with the actual malicious script hidden within 3.9 to 6 million characters of filler, making analysis more challenging and time-consuming.

Dynamic generation via batch file
A newer NodeStealer variant found in the wild uses a batch file to generate and execute the Python infostealer. Unlike older samples that relied on batch files to download payloads from external sources, this variant embeds the entire payload within the batch file itself.

The batch script echoes the malicious Python code line-by-line into a separate file, simplifying deployment while avoiding external network activity.

Telegram still used for exfiltration
All analyzed NodeStealer samples continue to use Telegram for exfiltrating stolen data. The malware saves the pilfered credentials and victim information, such as public IP address, country, and hostname, into text files. These files are then compressed into a zip archive and sent to the attacker via Telegram, ensuring quick and covert data transfer.

INSIGHTS

  • NodeStealer represents a growing cyber threat, evolving from its initial discovery in 2023 to target more sophisticated platforms and sensitive data. Initially focused on stealing credentials from Facebook Business accounts, the malware has expanded its reach to exploit Facebook Ads Manager, a critical tool for managing advertising campaigns. By pilfering budget details and credit card information, the attackers aim to gain control of high-value accounts, potentially using them to run fraudulent ads. This evolution highlights how threat actors adapt their campaigns to target platforms with significant financial and reputational value.
  • The campaign also reflects the strategic sophistication of its operators. By embedding junk code, employing advanced persistence mechanisms like registry keys, and leveraging legitimate tools such as Windows Restart Manager, NodeStealer manages to evade detection while efficiently stealing information. The attackers’ decision to avoid victims in Vietnam, where they are likely based, underscores their awareness of legal risks and law enforcement activity. This tactic, coupled with methods like embedding payloads in batch files, points to a deliberate effort to remain stealthy and resilient against countermeasures.
  • What makes NodeStealer particularly concerning is its use of a platform like Telegram for exfiltration, ensuring quick and covert data transfer. The malware’s focus on digital advertising ecosystems poses a broader threat to businesses that rely on platforms like Facebook and Instagram. If left unchecked, campaigns like this could erode trust in digital advertising channels, increase financial losses, and disrupt marketing strategies for organizations worldwide. Its continued evolution signals the importance of proactive defense measures and heightened awareness across affected industries.

ETLM ASSESSMENT
From the ETLM perspective, CYFIRMA anticipates that as NodeStealer continues to evolve, its reach and sophistication are expected to expand, intensifying the threat to both businesses and individuals. By targeting sensitive data from platforms like Facebook Ads Manager, the malware is likely to increase risks such as financial theft, personal data loss, and privacy breaches. The use of legitimate system tools and the embedding of malicious payloads in seemingly harmless files will complicate traditional security efforts, making detection and prevention more challenging. As NodeStealer increasingly leverages system processes, its attacks may become harder to spot, leaving many unaware until significant damage occurs. With the malware’s capabilities growing, targeted attacks are expected to rise, further escalating the challenges of online security and personal data protection.

IOCs:
Kindly refer to the IOCs Section to exercise controls on your security systems.

STRATEGIC RECOMMENDATIONS

  • Block exploit-like behaviour. Monitor endpoints memory to find behavioural patterns that are typically exploited, including unusual process handle requests. These patterns are features of most exploits, whether known or new. This will be able to provide effective protection against zero-day/critical exploits and more, by identifying such patterns.
  • Maintain an up-to-date inventory of all active software used within the organization and perform regular self-audit of workstations, servers, laptops, mobile devices to identify unauthorized/ restricted software.
  • Configure organization’s intrusion detection systems (IDS), intrusion prevention systems (IPS), or any network defence mechanisms in place to alert on — and upon review, consider blocking connection attempts to and from — the external IP addresses and domains listed in the appendix.

MANAGEMENT RECOMMENDATIONS

  • Security Awareness training should be mandated for all company employees. The training should ensure that employees:
  • Avoid downloading and executing files from unverified sources.
  • Move beyond the traditional model of security awareness towards Improved Simulation and training exercises that mimic real attack scenarios, account for behaviors that lead to a compromise, and are measured against real attacks the organization receives.

TACTICAL RECOMMENDATIONS

  • Build and undertake safeguarding measures by monitoring/ blocking the IOCs and strengthening defence based on the tactical intelligence provided.
  • Use multi-factor authentication (MFA) to mitigate credential theft and prevent attacker access. Keep MFA always-on for privileged accounts and apply risk-based MFA for normal accounts.
  • Enforce policies to validate third-party software before installation.

Weekly Intelligence Trends/Advisory

1. Weekly Attack Type and Trends

Key Intelligence Signals:

  • Attack Type: Ransomware Attacks, Vulnerabilities & Exploits, Data Leaks, and Malware implants.
  • Objective: Unauthorized Access, Data Theft, Data Encryption, Financial Gains, Espionage.
  • Business Impact: Data Loss, Financial Loss, Reputational Damage, Loss of Intellectual Property, Operational Disruption.
  • Ransomware –Medusa Ransomware, ArcusMedia Ransomware | Malware – NodeStealer
  • Medusa Ransomware – One of the ransomware groups.
  • ArcusMedia Ransomware – One of the ransomware groups.
  • Please refer to the trending malware advisory for details on the following:
  • Malware – NodeStealer
  • Behaviour –Most of these malwares use phishing and social engineering techniques as their initial attack vectors. Apart from these techniques, exploitation of vulnerabilities, defense evasion, and persistence tactics are being observed.

2. Threat Actor in Focus

A Chinese APT group targeting critical industries in the US, the Asia-Pacific region, the Middle East, and South Africa

  • Threat actor: Earth Estries
  • Initial Attack Vector: Exploiting vulnerabilities, Malware implant
  • Objective: Espionage
  • Target Technology: Database servers and Cloud servers
  • Target Geographies: US, Asia-Pacific, Middle East, and South Africa.
  • Target Industries: Telecommunications, Technology, Consulting, Chemical Industry, and Transportation, Government agencies, and NGOs.
  • Business Impact: Operational downtime, data theft, and potential destruction of sensitive information.

Summary:
Earth Estries, a highly sophisticated Chinese APT group has emerged as a significant threat in recent years. Since 2023, the group has primarily targeted critical industries, such as telecommunications, government agencies, and private-sector organizations across regions including the United States, Asia-Pacific, the Middle East, and South Africa.

Earth Estries uses a combination of exploiting known vulnerabilities in publicly exposed servers and deploying custom malware for long-term access. The group is known for its strategic, technical approach, utilizing N-day vulnerabilities (CVE-2023-46805 – CVSS 8.2, CVE-2024-21887-CVSS 9.1, CVE-2023-48788-CVSS 9.8, CVE-2022-3236-

CVSS 9.8, CVE-2021-26855-CVSS 9.8, CVE-2021-26857-CVSS 7.8, CVE-2021- 26858-CVSS 7.8, CVE-2021-27065-CVSS 7.8)to gain initial access, such as those in Ivanti VPN, Fortinet FortiClient, and Microsoft Exchange. Once inside, they employ living-off-the-land binaries for lateral movement and deploy malware like SNAPPYBEE (Deed RAT) and DEMODEX rootkit to maintain persistence. Additionally, Earth Estries uses cross-platform backdoors like MASOL RAT, which targets both Linux and Windows systems. A key tool in their arsenal is the GHOSTSPIDER backdoor, a highly modular and adaptable malware that allows attackers to dynamically load various components based on their objectives. This malware uses encrypted communications and custom protocols to evade detection and maintain secure communication with C&C servers. The group’s tactics also include sophisticated network obfuscation techniques, such as using distributed C&C infrastructure and encrypted communication channels through SoftEther VPN. Their victims span over 20 organizations in various sectors, including telecommunications, technology, government, and NGOs.

Earth Estries’ primary motivation is cyber espionage, which is focused on gathering sensitive information related to government operations, military intelligence, and corporate secrets. The group’s long-term objective appears to be the strategic infiltration of critical infrastructure, refining attack methods, and penetrating multiple levels of organizations, including secondary contractors and service providers. This persistent and evolving threat emphasizes the need for continued vigilance and proactive cybersecurity measures to defend against such advanced threats.

Relevancy & Insights:
Earth Estries, with a notable history of cyber espionage operations targets governments, telecommunications, and critical infrastructure. Their past attacks have focused on exploiting known vulnerabilities in widely used software and services, such as Microsoft Exchange (via ProxyLogon vulnerabilities) and Fortinet VPNs. These early campaigns established Earth Estries as a group skilled in long-term, stealthy operations, often compromising networks for years without detection. For instance, in their 2020 and 2021 campaigns targeting Southeast Asian governments, they employed tools like the MASOL RAT and DEMODEX rootkit to maintain access and exfiltrate sensitive data.

In more recent incidents, such as the 2023 attacks on telecommunications companies in Southeast Asia, Earth Estries escalated their use of modular backdoors, notably GHOSTSPIDER, which has a more sophisticated and multi-layered approach compared to previous malware.

This evolution reflects the group’s growing sophistication and ability to adapt their tools for specific targets and environments. Furthermore, their recent use of Cobalt Strike and overlapping C&C infrastructure with past incidents highlights their continued reliance on a mix of old and new techniques. The group’s shift towards cloud infrastructure, combined with its longstanding focus on exploiting supply chains and targeting vendor networks (as seen in recent attacks on consulting firms), indicates a strategic refinement in their operations. These patterns suggest that Earth Estries continues to build on its earlier methods, refining its tactics, tools, and infrastructure while maintaining its primary goal of espionage and data theft, specifically from high- value government and corporate entities.

ETLM Assessment:
Earth Estries is a Chinese advanced persistent threat (APT) group specializing in cyber espionage. They target high-value organizations and sectors, focusing on gathering intelligence and maintaining long-term access to compromised networks. Their geographic targets span the United States, Southeast Asia, the Middle East, South Africa, and the Asia-Pacific region. The group has primarily attacked government agencies, telecommunications, consulting firms, NGOs, and critical infrastructure, using sophisticated techniques to exploit vulnerabilities in widely-used technologies, including public servers, VPNs, and cloud environments. Earth Estries is adept at exploiting critical vulnerabilities like those in Ivanti Connect Secure VPN, Fortinet FortiClient EMS, and Microsoft Exchange, as well as leveraging public infrastructure flaws to gain access. Their malware arsenal includes tools like SNAPPYBEE, DEMODEX rootkit, MASOL RAT, and GHOSTSPIDER, all of which are used for surveillance, data exfiltration, and maintaining persistence within networks. Their tactics evolve with time, shifting towards more complex malware, like modular backdoors that operate across multiple platforms (Windows and Linux), and increasingly targeting cloud services and supply chains. The group’s ability to adapt to emerging threats and their ongoing use of highly obfuscated and stealthy methods make them a formidable player in cyber espionage. Looking ahead, Earth Estries will likely continue to focus on exploiting unpatched vulnerabilities, evolving their malware capabilities, and potentially collaborating with other APT groups. Organizations must strengthen defenses, patch vulnerabilities, and enhance threat detection to protect against these persistent, sophisticated attacks.

Recommendations:

Strategic Recommendations

  • Strengthen Vulnerability Management and Patch Management Programs: Given that Earth Estries has consistently exploited critical vulnerabilities such as CVE-2023- 46805 – CVSS 8.2, CVE-2024-21887-CVSS 9.1, CVE-2023-48788-CVSS 9.8, CVE- 2022-3236-CVSS 9.8, CVE-2021-26855-CVSS 9.8, CVE-2021-26857-CVSS 7.8, CVE- 2021-26858-CVSS 7.8, and CVE-2021-27065-CVSS 7.8, it is crucial to bolster your patch management strategy. Ensure that your vulnerability management process includes timely and effective remediation of high-severity vulnerabilities, especially those affecting externally facing services.
  • Enhance Threat Intelligence Integration: The integration of real-time threat intelligence feeds into your existing SIEM (Security Information and Event Management) system will significantly improve your ability to detect malicious activities related to Earth Estries. You should focus on integrating the IoCs (Indicators of Compromise) shared in this report to provide immediate visibility into known threat infrastructure and artifacts.
  • Conduct Regular Red Teaming and Penetration Testing: Earth Estries uses sophisticated lateral movement techniques and bespoke malware to maintain persistence within the target environment. Conducting regular red team exercises will help simulate real-world attacks, providing valuable insight into how attackers might exploit weaknesses in your environment.
  • Increase Endpoint Detection and Response (EDR) Monitoring: Earth Estries employs a wide range of malware, including SNAPPYBEE, DEMODEX rootkit, and GHOSTSPIDER. To mitigate these threats, ensure that your EDR tools are configured to detect these specific threats and other variants that may evolve.

Tactical Recommendations

  • Improve Detection of Lateral Movement and Privilege Escalation: Earth Estries relies on advanced techniques like DLL side-loading and system binary proxy execution to move laterally across networks. Implement proactive monitoring of unusual behavior, particularly around the execution of system binaries like rundll32.exe and wmic.exe.
  • Enhance Network Traffic Analysis for Command-and-Control (C&C) Communication: Earth Estries uses sophisticated network obfuscation techniques to evade detection, often employing TLS-encrypted traffic and custom protocols to communicate with C&C servers. Implement network traffic analysis to detect abnormal patterns, such as unusual use of application-layer protocols or encrypted traffic that may be hiding C&C communication.

Operational Recommendations

  • Implement Advanced Malware Analysis Capabilities: Earth Estries deploys complex, multi-stage malware like GHOSTSPIDER, which makes detection challenging. Ensure that your team has access to advanced malware analysis tools to reverse-engineer new variants and develop custom signatures for effective detection.
  • Enhance Incident Response Procedures and Playbooks: The evolving nature of Earth Estries’ attack campaigns requires a rapid and coordinated response. Your SOC should have tailored playbooks for responding to Earth Estries’ specific tactics, including detecting DLL side-loading, credential theft, and C&C communication.
  • Conduct Employee Awareness and Phishing Prevention Training: Although Earth Estries is highly technical, social engineering techniques could be employed to gain initial access. Provide regular training to employees on identifying phishing attempts, especially those targeting sensitive systems, such as VPNs or cloud-based platforms.
MITRE ATT&CK Tactics and Techniques
Tactics ID Technique
Execution T1129 Shared Modules
Persistence T1574.002 Hijack Execution Flow: DLL Side- Loading
Defense Evasion T1027.002 Obfuscated Files or Information: Software Packing
Defense Evasion T1027.005 Obfuscated Files or Information: Indicator Removal from Tools
Defense Evasion T1036 Masquerading
Defense Evasion T1218.011 System Binary Proxy Execution: Rundll32
Defense Evasion T1497 Virtualization/Sandbox Evasion
Credential Access T1056 Input Capture
Discovery T1082 System Information Discovery
Discovery T1518.001 Software Discovery: Security Software Discovery
Collection T1056 Input Capture
Command and Control T1071 Application Layer Protocol

IOCs:
Kindly refer to the IOCs (Indicators of Compromise) Section to exercise controls on your security systems.

3. Major Geopolitical Developments in Cybersecurity

Russia targets post-Soviet states
Researchers have published a report on a Russian cyberespionage campaign targeting organizations in Central Asia, East Asia, and Europe with two strains of custom malware dubbed “HATVIBE” and “CHERRYSPY.” The campaign has been linked to the Russia-aligned threat actor TAG-110, while its tactics overlap with previous operations by Russia’s Fancy Bear, an APT controlled by Russian intelligence.

Since the summer of this year, the espionage campaign has targeted governments, human rights groups, and educational institutions in eleven countries, including Kazakhstan, Kyrgyzstan, and Uzbekistan.

ETLM Assessment:
The behaviour of the Central Asian states shows a general conviction that Moscow is no longer able to play its role of an enforcer and more and more eyes are directed primarily towards Beijing and partly also towards Ankara. In Central Asia, it is Beijing in particular that is facing pressure from local governments to fill the security vacuum left by Moscow. An increasing number of Central Asian soldiers and police are being trained in China, and Russian weapons are increasingly being replaced by Chinese ones. The European Union is the main regional trading partner, followed by China and Russia is only third. Hence, the effort, which is clearly a classic case of state-driven espionage, is likely part of a broader Russian strategy to gather intelligence on geopolitical developments and maintain influence in post-Soviet states.

4. Rise in Malware/Ransomware and Phishing

The Medusa Ransomware impacts Maxeon

  • Attack Type: Ransomware
  • Target Industry: Energy, and Manufacturing
  • Target Geography: Singapore
  • Ransomware: Medusa Ransomware
  • Objective: Data Theft, Data Encryption, Financial Gains
  • Business Impact: Financial Loss, Data Loss, Reputational Damage

Summary:
From the External Threat Landscape Management (ETLM) Perspective, CYFIRMA observed in an underground forum that a company from Singapore; Maxeon (https[:]//maxeon[.]com), was compromised by Medusa Ransomware. Maxeon is a solar energy innovation company that designs, manufactures and markets advanced solar panels and solutions worldwide under the Maxeon and SunPower brands. The data, which has been breached, has not yet appeared on the leak site, indicating that negotiations between the affected party and the ransomware group may be underway.

The compromised data encompasses a trove of sensitive and confidential records, originating from the organizational database. The compromised data has been listed for sale with an asking price of $1,000,000.

The following screenshot was observed published on the dark web:

Source: Dark Web

Relevancy & Insights:

  • Medusa ransomware has been active since late 2021 and has quickly established itself as a major player in the ransomware space, employing a double extortion strategy. Once inside, Medusa uses strong encryption methods (AES-256 and RSA-2048) to secure files, rendering them inaccessible without the decryption key held by the attackers.
  • The Medusa Ransomware group primarily targets countries like the United States of America, Canada, the United Kingdom, Italy, and Australia.
  • The Medusa Ransomware group primarily targets industries, such as Manufacturing, Healthcare, Finance, Law, and Retail.
  • Based on the Medusa Ransomware victims list from 1 Jan 2024 to 27 November 2024, the top 5 Target Countries are as follows:
  • The Top 10 Industries, most affected by Medusa Ransomware from 1 Jan 2024 to 27 th November 2024 are as follows:

ETLM Assessment:
Based on recent assessments by CYFIRMA, Medusa ransomware continues to evolve as a significant threat within the cybersecurity landscape, characterized by its sophisticated tactics and aggressive extortion methods. Organizations are urged to implement robust cybersecurity measures, including regular updates, employee training on phishing awareness, and comprehensive incident response plans to mitigate risks associated with this evolving threat actor. Continuous monitoring of Medusa’s activities will be essential for understanding its impact on global cybersecurity efforts.

The ArcusMedia Ransomware impacts PK Mulyo

  • Attack Type: Ransomware
  • Target Industry: Manufacturing
  • Target Geography: Indonesia
  • Ransomware: ArcusMedia Ransomware
  • Objective: Data Theft, Data Encryption, Financial Gains
  • Business Impact: Financial Loss, Data Loss, Reputational Damage

Summary:
From the External Threat Landscape Management (ETLM) Perspective, CYFIRMA observed in an underground forum that a company from Indonesia; PK Mulyo (www[.]mulyo[.]com) was compromised by ArcusMedia Ransomware. PK Mulyo is an Indonesian company specializing in furniture manufacturing. PK Mulyo manufactures furniture using both local and imported materials, such as teak, mahogany, oak, and maple. They produce a variety of furniture styles, ranging from classic to contemporary, with a focus on craftsmanship and design. The data, which has been breached, has not yet appeared on the leak site, indicating that negotiations between the affected party and the ransomware group may be underway. The compromised data encompasses a trove of sensitive and confidential records, originating from the organizational database.

The following screenshot was observed published on the dark web:

Source: Dark Web

Relevancy & Insights:

  • ArcusMedia ransomware began operations in May 2024 and has quickly gained attention in the cybersecurity community. The group employs phishing emails to gain initial access, deploying custom ransomware binaries and using obfuscation techniques to evade detection.
  • The ArcusMedia Ransomware group primarily targets countries like Brazil, the United States of America, Colombia, the United Kingdom, and Italy.
  • The ArcusMedia Ransomware group primarily targets industries, such as Software, Finance, Transportation, Computer Services, and Telecommunications.
  • Based on the ArcusMedia Ransomware victims list from 1 May 2024 to 27 November 2024, the top 5 Target Countries are as follows:
  • The Top 10 Industries, most affected by ArcusMedia Ransomware from 1st May 2024 to 27th November 2024 are as follows:

ETLM Assessment:
Based on recent assessments by CYFIRMA, ArcusMedia ransomware represents a significant new threat in the cybersecurity landscape, characterized by its sophisticated tactics and aggressive approach to extortion. Organizations are advised to enhance their cybersecurity defenses, including employee training on phishing awareness, regular updates to systems, and comprehensive incident response plans to mitigate risks associated with this evolving threat actor. Continuous monitoring of ArcusMedia’s activities will be essential for understanding its impact on global cybersecurity efforts.

5. Vulnerabilities and Exploits

Vulnerability in GLib2

  • Attack Type: Vulnerabilities & Exploits
  • Target Technology: Operating system
  • Vulnerability: CVE-2024-52533
  • CVSS Base Score: 9.8

Source
Vulnerability Type: Buffer Overflow

Summary:
The vulnerability allows a remote attacker to execute arbitrary code on the target system.

Relevancy & Insights:
The vulnerability exists due to an off-by-one error in gio/gsocks4aproxy.c when handling responses from the SOCKS4 proxy. A remote attacker can trick the victim into connecting to a malicious SOCKS4 proxy server, trigger an off-by-one error, and execute arbitrary code on the target system.

Impact:
Successful exploitation of this vulnerability may result in complete compromise of vulnerable systems.

Affected Products:
https[:]//www[.]suse[.]com/support/update/announcement/2024/suse-su- 20244051-1/

Recommendations:
Monitoring and Detection: Implement monitoring and detection mechanisms to identify unusual system behavior that might indicate an attempted exploitation of this vulnerability.

TOP 5 AFFECTED PRODUCTS OF THE WEEK
This week, CYFIRMA researchers have observed significant impacts on various technologies, due to a range of vulnerabilities. The following are the top 5 most affected technologies.

ETLM Assessment:
Vulnerability in GLib can pose significant threats to user privacy and security. This can impact various industries globally, including technology, finance, healthcare, and beyond. Ensuring the security of GLib is crucial for maintaining the integrity and protection of users’ data worldwide. Therefore, addressing these vulnerabilities is essential to safeguarding the functionality of portable utility libraries, including data types, type conversions, string utilities, and file handling, across different geographic regions and sectors.

6. Latest Cyber-Attacks, Incidents, and Breaches

Hunters International Attacked and Published the Data of Sercomm

  • Threat Actors: Hunters International Ransomware
  • Attack Type: Ransomware
  • Objective: Data Leak, Financial Gains
  • Target Technology: Web Applications
  • Target Industry: Telecommunications
  • Target Geography: Taiwan
  • Business Impact: Operational Disruption, Data Loss, Financial Loss, Potential Reputational Damage

Summary:
Recently, we observed that Hunters International Ransomware attacked and published the data of Sercomm (www[.]sercomm[.]com) on its dark web website. Sercomm Corporation is a global leader in the telecommunications and broadband solutions industry. The company specializes in designing and manufacturing a wide range of broadband networking products, including 4G/5G customer premises equipment (CPE), Wi-Fi routers, mesh systems, small cells, and IoT devices. Their products are widely used in home networking, enterprise connectivity, and smart city applications. The data leak, following the ransomware attack, encompasses sensitive and confidential records, originating from the organizational database. The scale of the data exposure measures approximately 605.6 GB, comprising a total of 421,597discrete files.

Source: Dark Web

Relevancy & Insights:

  • The Hunters International Ransomware group has been utilizing a new remote access trojan (RAT) named SharpRhino, which is designed to infiltrate corporate networks by masquerading as legitimate software. This RAT modifies Windows registry settings to ensure persistence and can execute PowerShell commands to facilitate further malicious activities.
  • Hunters International is a Ransomware that targets Windows and Linux environments which add .LOCKED extension to the encrypted files on the victim machine, once the data exfiltration gets completed by the Ransomware group.

ETLM Assessment:
According to CYFIRMA’s assessment, the Hunters International ransomware group is expected to continue targeting a wide range of industries globally, with a particular focus on the United States, Europe, and Asia. A recent attack on Sercomm, a leading Telecommunications company in Taiwan, highlights the significant threat this ransomware poses in the East Asian region. This incident highlights the growing risk to critical industries in the area and the importance of strengthening cybersecurity defenses against such sophisticated threats.

7. Data Leaks

Pegadaian Data Advertised on a Leak Site

  • Attack Type: Data Leak
  • Target Industry: Finance
  • Target Geography: Indonesia
  • Objective: Data Theft, Financial Gains
  • Business Impact: Data Loss, Reputational Damage

Summary:
The CYFIRMA Research team observed a potential data sale related to Pegadaian (www[.]pegadaian[.]co[.]id) in an underground forum. Pegadaian is an Indonesian state-owned enterprise specializing in pawnbroking and financial services. The compromised data reportedly includes information on 13,000 employees, encompassing their full names, job titles, email addresses, and phone numbers. The data breach has been attributed to a threat actor known as “IntelBroker.”

Source: Underground Forums

Intelligence Business (Thailand) Co., Ltd. (IntBizTH) Data Advertised on a Leak Site

  • Attack Type: Data Leak
  • Target Geography: Thailand
  • Target Industry: IT Services and Business consulting
  • Objective: Data Theft, Financial Gains
  • Business Impact: Data Loss, Reputational Damage

Summary:
The database of Intelligence Business (Thailand) Co., Ltd. (IntBizTH)(http[:]//IntBizTH[.]com), a Thai business platform, has been leaked online. The breach exposes sensitive user information, highlighting potential risks to privacy and data security. This incident underscores the need for enhanced cybersecurity measures to protect users from exploitation.

Source: Underground Forums

Relevancy & Insights:
Financially motivated cybercriminals are continuously scouring for exposed and vulnerable systems and applications to exploit. A significant number of these malicious actors congregate within underground forums, where they discuss cybercrime and trade stolen digital assets. Operating discreetly, these opportunistic attackers target unpatched systems or vulnerabilities in applications to illicitly gain access and steal valuable data. Subsequently, the pilfered data is advertised for sale within underground markets, where it can be acquired, repurposed, and utilized by other malicious actors in further illicit activities.

ETLM Assessment:
IntelBroker acts as an “intelligence broker,” breaching organizations and selling their compromised data on underground forums. They have claimed responsibility for over 80 data leaks, affecting more than 400 organizations. Based on the available information, CYFIRMA’s assessment indicates that IntelBroker represents a significant threat in the cybercrime landscape due to its aggressive tactics and high-profile targets. Organizations must remain vigilant and proactive in their cybersecurity measures to protect against such evolving threats.

Recommendations: Enhance the cybersecurity posture by

  • Updating all software products to their latest versions is essential to mitigate the risk of vulnerabilities being exploited.
  • Ensure proper database configuration to mitigate the risk of database-related attacks.
  • Establish robust password management policies, incorporating multi-factor authentication and role-based access, to fortify credential security and prevent unauthorized access.

8. Other Observations

The official platform http[:]//DubaiPulse[.]gov[.]ae, a critical hub for UAE government services, has reportedly been breached. The leaked database includes sensitive information, potentially affecting individuals and entities using the platform. This incident raises serious concerns about the security of government-managed digital platforms and underscores the urgent need for robust cybersecurity measures.The data breach has been attributed to a threat actor identified as “Henrymans0n”.

Source: Underground forums

ETLM Assessment:
The “Henrymans0n” threat actor group has recently surfaced as a significant player in cybercrime, primarily driven by financial motives. Active in underground forums, the group has already targeted various sectors, including government, industrial conglomerates, retail, staffing, business consulting, banking, e-commerce, and electric utilities. This broad range of targets signals their intent to further expand their operations across additional industries on a global scale.

STRATEGIC RECOMMENDATIONS

  • Attack Surface Management should be adopted by organizations, ensuring that a continuous closed-loop process is created between attack surface monitoring and security testing.
  • Deploy a unified threat management strategy – including malware detection, deep learning neural networks, and anti-exploit technology – combined with vulnerability and risk mitigation processes.
  • Incorporate Digital Risk Protection (DRP) in the overall security posture that acts as a proactive defence against external threats targeting unsuspecting customers.
  • Implement a holistic security strategy that includes controls for attack surface reduction, effective patch management, active network monitoring, through next generation security solutions and ready to go incident response plan.
  • Create risk-based vulnerability management with deep knowledge about each asset. Assign a triaged risk score based on the type of vulnerability and criticality of the asset to help ensure that the most severe and dangerous vulnerabilities are dealt with first.

MANAGEMENT RECOMMENDATIONS

  • Take advantage of global Cyber Intelligence providing valuable insights on threat actor activity, detection, and mitigation techniques.
  • Proactively monitor the effectiveness of risk-based information security strategy, the security controls applied and the proper implementation of security technologies, followed by corrective actions remediations, and lessons learned.
  • Move beyond the traditional model of security awareness towards improved simulation and training exercises that mimic real attack scenarios, account for behaviours that lead to a compromised, and, are measured against real attacks the organization receives.
  • Consider implementing Network Traffic Analysis (NTA) and Network Detection and Response (NDR) security systems to compensate for the shortcoming of EDR and SIEM solutions.
  • Detection processes are tested to ensure awareness of anomalous events. Timely communication of anomalies and continuously evolved to keep up with refined ransomware threats.

TACTICAL RECOMMENDATIONS

  • Patch software/applications as soon as updates are available. Where feasible, automated remediation should be deployed since vulnerabilities are one of the top attack vectors.
  • Build and undertake safeguarding measures by monitoring/ blocking the IOCs and strengthen defences based on tactical intelligence provided.
  • Deploy detection technologies that are behavioural anomaly-based to detect ransomware attacks and help to take appropriate measures.
  • Implement a combination of security control such as reCAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart), Device fingerprinting, IP backlisting, Rate-limiting, and Account lockout to thwart automated brute-force attacks.
  • Ensure email and web content filtering uses real-time blocklists, reputation services, and other similar mechanisms to avoid accepting content from known and potentially malicious sources.

4. Situational Awareness – Cyber News

Please find the Geography-Wise and Industry-Wise breakup of cyber news for the last 5 days as part of the situational awareness pillar.

Geography-Wise Graph

Industry-Wise Graph

For situational awareness intelligence and specific insights mapped to your organisation’s geography, industry, technology, please access DeCYFIR.