Weekly Intelligence Report – 31 Mar 2023

Weekly Attack Type and Trends

Key Intelligence Signals:

• Attack Type: Ransomware Attack, Vulnerabilities & Exploits, Malware Implants, DoS, DDoS, Spear Phishing
• Objective: Unauthorized Access, Data Theft, Financial Gains, Payload Delivery, Potential Espionage
• Business Impact: Data Loss, Financial Loss, Reputational Damage, Loss of Intellectual Property
• Ransomware – Clop Ransomware | Malware – AresLoader
• Clop Ransomware – One of the ransomware groups
• Please refer to the trending malware advisory for details on the following:
• Malware – AresLoader
• Behavior – Most of these malware use phishing and social engineering techniques as their initial attack vector. Apart from these techniques, exploitation of vulnerabilities, defence evasion, and persistence tactics are being observed.

Threat Actor in Focus

South Asia-based Bitter APT Targets Nuclear Energy Industry

• Suspected Threat Actors: Bitter APT
• Attack Type: Spear Phishing
• Objective: Operational Disruption, Data Theft
• Target Technology: Windows
• Target Industries: Critical Infrastructure, Energy
• Business Impact: Operational Disruption

Summary:

In a recent observation, Bitter APT was found to target the Nuclear Industry in China. The threat actor is active since the year 2013 and is known for targeting Pakistan, Bangladesh Saudi Arabia, and China through well-crafted spear phishing emails. The tactics are similar to the previous campaigns that were active during the year 2021. In a recent attack, the threat actor applied a fresh layer of obfuscation to its malware to make it hard for analysts to detect. Phishing mail disguised to be from the Embassy of Kyrgyzstan was sent to Chinese recipients in Nuclear Energy Industry. Around 7 suspicious emails were detected, and a few were sent to entities in academia related to Nuclear Energy. Phishing emails tried to manipulate victims by inviting them to conferences related to their field. The phishing emails had attachments with RAR files that contained HTML Help (CHM) or Excel payload. An excel file leveraged Equation Editor exploits which led to the creation of two scheduled tasks, one performs fetching the second stage EXE payload using cURL and the second task performs execution of fetched EXE payload. In the CHM case, it also creates a scheduled task for the persistence and downloading of payloads for the next stage attack.

Insights:

Nicely crafted social engineered email in this attack suggests that the threat actor had a good understanding of the working activities and responsibilities of the targeted individuals.

Recently, scientists working in nuclear research in the US were targeted by Cold River APT, a group based in Russia, using a phishing email that contained a password grabber. The nuclear sector continues to be a prime target for APT groups because it provides them with valuable intelligence and can help them gain an advantage over their adversaries.

Major Geopolitical Developments in Cybersecurity

North Korean hackers active in South Korea and Germany

The German intelligence agency BfV and the Republic of Korea’s National Intelligence Service have issued a joint advisory describing a spearphishing campaign by North Korea’s Kimsuky threat actor (also known as Thallium or Velvet Chollima).

The threat actor is going after experts on the Korean Peninsula and North Korea concerns with a malicious Chrome extension and malware-filled Android app. Analysts say that the attackers deceive their victims into installing the Chrome extension by sending them spearphishing emails. The extension can exfiltrate emails from the victim’s Gmail account once it is installed.

The APT is also using an Android Trojan called “FastViewer,” which was first observed in October 2022. The app is delivered via the Google Play console developer site for ‘internal testing only,’ and the victim’s device is supposedly added as a testing target. The advisory adds that since the technology exploited in this attack can be used universally, it can be used by foreign affairs and security think tanks around the world as well as unspecified people.

In other news, another North Korean threat actor known as Reaper or APT37 has been observed engaging South Korean targets. Researchers have observed APT37 conducting cyberespionage against individuals within South Korean organizations in February and March of this year. The gang disseminates the Chinotto PowerShell-based backdoor, giving the perpetrators full power and the ability to steal sensitive data from the victims.

A shift in Russian cyber operation tactics

According to researchers, Russia’s cyberwar on Ukraine has largely failed so far and Moscow is thus increasingly shifting focus towards the Western allies of Kyiv.

Russian actors are increasingly concentrated on attacking EU & NATO countries because Ukraine has proven to be a difficult target and cyberattack there have been largely replaced by kinetic strikes. The third quarter of 2022 saw a clear shift from a cyberwar focused on Ukraine to a high-intensity hybrid cyberwar across Europe, marking a turning point in cyberattacks linked to the conflict in Ukraine. With a growing emphasis on vital national infrastructure in sectors like aviation, energy, healthcare, banking, and public services, Russian hackers are primarily targeting Poland as well as the Baltic and Nordic countries and smaller nations that are seeking full EU membership, like Montenegro and Moldova. The cyber-attacks are often complemented by strong information warfare campaigns against both public and private institutions with the goal of weakening them and discrediting them alongside Ukraine itself.

Attacks against nations that back Ukraine’s cause have a clear connection to some recent events. For instance, a DDoS attack by Anonymous Russia against several Slovak government websites happened right after Slovakia decided to move its MiG-29 jet fighters to Ukraine.

US Cyber Agency urges to keep vigilance against Russian cyber campaigns

Despite the failure of Russian cyberattacks to do any major damage to Western infrastructure so far, the US Cybersecurity and Infrastructure Security Agency (CISA) remains on guard against the possibility of a Russian cyber offensive, against the nuclear power sector. The agency has recently stated that a combination of effective defense, deterrence, and decisions by the Russian government itself have all contributed to the lack of effect on critical infrastructure. The agency also confirmed that it has yet not observed successful attacks on the United States from Russian state-backed actors and credited it to prepared defenses, increased vigilance, and successful cooperation of both government and industry in hardening the targets.

Russian hacktivist auxiliary groups have proven to be very active, but their attacks have so far only been on the level of annoyance. Hacktivists are mostly using DDoS attacks to briefly disable servers and interrupt services and engage in guerrilla cyber-harassment campaigns. The Russian groups span a variety of expertise levels and are frequently, though not always, linked to cybercriminal gangs. Given the tolerance and protection it gets from Moscow, criminal activity by Russian gangs has also continued at a high level, especially about ransomware attacks against inadequately protected organizations. This type of criminal activity might be described as privateering and has been on a steady rise in recent months.

Other Observations

CYFIRMA Research team observed the sale of database access of UK-based manufacturer Jabsco (www[.]jabsco[.]com) by the unknown threat actor. It is up for sale for USD 176,000.

Source: Telegram

STRATEGIC RECOMMENDATION

• Attack Surface Management should be adopted by organizations, ensuring that a continuous closed-loop process is created between attack surface monitoring and security testing.
• Deploy a unified threat management strategy – including malware detection, deep learning neural networks, and anti-exploit technology – combined with vulnerability and risk mitigation processes.
• Incorporate Digital Risk Protection (DRP) in the overall security posture that acts as a proactive defence against external threats targeting unsuspecting customers.
• Implement a holistic security strategy that includes controls for attack surface reduction, effective patch management, active network monitoring, through next generation security solutions and ready to go incident response plan.
• Create risk-based vulnerability management with deep knowledge about each asset. Assign a triaged risk score based on the type of vulnerability and criticality of the asset to help ensure that the most severe and dangerous vulnerabilities are dealt with first.

MANAGEMENT RECOMMENDATION

• Take advantage of global Cyber Intelligence providing valuable insights on threat actor activity, detection, and mitigation techniques.
• Proactively monitor the effectiveness of risk-based information security strategy, the security controls applied and the proper implementation of security technologies, followed by corrective actions remediations, and lessons learned.
• Move beyond the traditional model of security awareness towards improved simulation and training exercises that mimic real attack scenarios, account for behaviours that lead to a compromised, and, are measured against real attacks the organization receives.
• Consider implementing Network Traffic Analysis (NTA) and Network Detection and Response (NDR) security systems to compensate for the shortcoming of EDR and SIEM solutions.
• Detection processes are tested to ensure awareness of anomalous events. Timely communication of anomalies and continuously evolved to keep up with refined ransomware threats.

TACTICAL RECOMMENDATION

• Patch software/applications as soon as updates are available. Where feasible, automated remediation should be deployed since vulnerabilities are one of the top attack vectors.
• Consider using security automation to speed up threat detection, improved incident response, increased the visibility of security metrics, and rapid execution of security checklists.
• Build and undertake safeguarding measures by monitoring/ blocking the IOCs and strengthen defences based on tactical intelligence provided.
• Deploy detection technologies that are behavioural anomaly-based to detect ransomware attacks and help to take appropriate measures.
• Implement a combination of security control such as reCAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart), Device fingerprinting, IP backlisting, Rate-limiting, and Account lockout to thwart automated brute-force attacks.
• Ensure email and web content filtering uses real-time blocklists, reputation services, and other similar mechanisms to avoid accepting content from known and potentially malicious sources.