Weekly Intelligence Report – 03 Jul 2026 | #ransomware | #cybercrime


Published On : 2026-07-03

Ransomware In Focus

CYFIRMA Research and Advisory Team would like to highlight ransomware trends and insights gathered while monitoring various forums. This includes multiple industries, geography, and technology that could be relevant to your organization.

Type: Ransomware
Target Technologies: Windows OS

Introduction:
CYFIRMA Research and Advisory Team has found the Friends Ransomware while monitoring various underground forums as part of our Threat Discovery Process.

Friends Ransomware
Friends is a ransomware strain that encrypts user data using strong cryptographic techniques and appends the .friends124 extension to every affected file, rendering them inaccessible without the corresponding decryption key. After completing encryption, it creates an HTML file named RANSOM_NOTE.html that serves as the primary communication channel with the victim. The malware is designed not only to disrupt data availability but also to pressure victims by claiming that sensitive information has been exfiltrated prior to encryption, indicating a double-extortion approach commonly used in modern ransomware campaigns.

Screenshot: File encrypted by the ransomware (Source: Surface Web)

The ransom note informs victims that their files have been encrypted and instructs them to establish contact through the attacker-provided communication channels to obtain payment instructions and the decryption utility. It claims that confidential and personal data has been copied to a remote server and threatens public disclosure or sale of the stolen information if the ransom demand is not met. To increase credibility, the operators offer to decrypt a small number of non-essential files at no cost as proof that file recovery is possible. The note also warns that the ransom amount will increase if communication is delayed beyond a specified time window, applying additional psychological pressure to accelerate payment.

Screenshot: The appearance of friend’s ransom note (Ransom_Note.html) (Source: Surface Web)

From a technical incident response perspective, removal of the ransomware only prevents further encryption activity and does not restore already encrypted files. Recovery typically depends on the availability of unaffected offline or isolated backups, as encrypted data generally cannot be decrypted without the corresponding private key unless a cryptographic flaw exists in the ransomware implementation. During remediation, responders should isolate the compromised system, preserve encrypted files and the ransom note for forensic analysis, identify and eliminate any persistence mechanisms or associated malicious components, investigate potential credential compromise and data exfiltration, and verify system integrity before restoring data to prevent reinfection.

The following are the TTPs based on the MITRE Attack Framework

TacticTechnique IDTechnique Name
ExecutionT1047Windows Management Instrumentation
ExecutionT1053.002Scheduled Task/Job: At
ExecutionT1053.005Scheduled Task/Job: Scheduled Task
ExecutionT1569.002System Services: Service Execution
PersistenceT1053.002Scheduled Task/Job: At
PersistenceT1053.005Scheduled Task/Job: Scheduled Task
PersistenceT1112Modify Registry
PersistenceT1542.003Pre-OS Boot: Bootkit
PersistenceT1543.003Create or Modify System Process: Windows Service
PersistenceT1546.001Event Triggered Execution: Change Default File Association
PersistenceT1546.012Event Triggered Execution: Image File Execution Options Injection
PersistenceT1547.001Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
PersistenceT1547.004Boot or Logon Autostart Execution: Winlogon Helper DLL
Privilege EscalationT1053.002Scheduled Task/Job: At
Privilege EscalationT1053.005Scheduled Task/Job: Scheduled Task
Privilege EscalationT1055Process Injection
Privilege EscalationT1134Access Token Manipulation
Privilege EscalationT1543.003Create or Modify System Process: Windows Service
Privilege EscalationT1546.001Event Triggered Execution: Change Default File Association
Privilege EscalationT1546.012Event Triggered Execution: Image File Execution Options Injection
Privilege EscalationT1547.001Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
Privilege EscalationT1547.004Boot or Logon Autostart Execution: Winlogon Helper DLL
Credential AccessT1056.001Input Capture: Keylogging
DiscoveryT1010Application Window Discovery
DiscoveryT1012Query Registry
DiscoveryT1016System Network Configuration Discovery
DiscoveryT1033System Owner/User Discovery
DiscoveryT1057Process Discovery
DiscoveryT1082System Information Discovery
DiscoveryT1083File and Directory Discovery
DiscoveryT1087Account Discovery
DiscoveryT1497.001Virtualization/Sandbox Evasion: System Checks
DiscoveryT1518.001Software Discovery: Security Software Discovery
DiscoveryT1614System Location Discovery
CollectionT1056.001Input Capture: Keylogging
CollectionT1113Screen Capture
CollectionT1213Data from Information Repositories
Command and ControlT1102Web Service
ImpactT1529System Shutdown/Reboot
StealthT1027.002Obfuscated Files or Information: Software Packing
StealthT1055Process Injection
StealthT1070.004Indicator Removal: File Deletion
StealthT1070.006Indicator Removal: Timestomp
StealthT1134Access Token Manipulation
StealthT1497.001Virtualization/Sandbox Evasion: System Checks
StealthT1542.003Pre-OS Boot: Bootkit
StealthT1564.003Hide Artifacts: Hidden Window
StealthT1620Reflective Code Loading
Defense ImpairmentT1222File and Directory Permissions Modification
Defense ImpairmentT1112Modify Registry

Relevancy and Insights:

  • The ransomware primarily affects the Windows operating system, which is commonly utilized in enterprise environments across multiple industries.
  • Detect-debug-environment: The ransomware technique is used to determine if it is being monitored in environments such as sandboxes, virtual machines, or under debugging tools. To perform this check, the malware may look for specific processes, drivers, or artifacts linked to analysis tools, measure timing to spot inconsistencies, or scan for system traits uncommon in real user machines. When such conditions are identified, the malicious program can modify its behavior, such as pausing execution, shutting down, or withholding key payload actions, to avoid detection and make detailed analysis more difficult.
  • Long Sleep Delays: Implements extended sleep intervals during execution, a common anti-analysis technique used to evade automated sandbox detection and behavioral monitoring.
  • Persistence: The ransomware exhibits continuity mechanisms to ensure its survival and ongoing vicious conditioning within the compromised terrain. This could involve creating autostart entries or modifying system settings to maintain a base and grease unborn attacks.
  • The ransomware terminates processes such as vssadmin.exe Delete Shadows /all /quiet and wmic shadowcopy delete /nointeractive to delete Volume Shadow Copies, which are used by Windows for backup and restore. By removing these shadow copies, the malware ensures that victims cannot recover their files via system restore points or backup utilities.
  • calls-wmi: The ransomware leverages Windows Management Instrumentation (WMI), a versatile Windows feature that enables it to discreetly collect system information, control processes, or execute commands. This technique is commonly used to avoid detection and carry out reconnaissance activities within the system.

ETLM Assessment:
CYFIRMA assesses that Friends ransomware is likely to evolve into a more advanced and adaptable threat, with future variants expanding beyond file encryption to incorporate enhanced double-extortion capabilities and more targeted attack methodologies. The operators may strengthen encryption implementations, improve defense evasion techniques, and introduce more resilient persistence mechanisms that enable the malware to survive reboots and security remediation efforts. As ransomware campaigns continue to prioritize enterprise networks, future versions may also be optimized to disrupt critical infrastructure and high-value business operations, increasing the overall impact of successful compromises.

Future iterations are expected to adopt a more modular architecture, allowing threat actors to integrate additional capabilities such as credential harvesting, privilege escalation, lateral movement, and reconnaissance within compromised environments. Such functionality would enable attackers to identify and encrypt the most valuable assets while simultaneously targeting network shares, virtualization platforms, backup repositories, and cloud-hosted resources. The inclusion of anti-analysis, anti-debugging, and anti-forensic features could further complicate malware detection, hinder incident response activities, and reduce opportunities for forensic reconstruction of the attack chain.

The broader ransomware landscape suggests that data exfiltration will remain a central component of future Friends ransomware campaigns, with encryption serving as only one stage of a larger extortion strategy. Beyond locking files, future variants may increasingly exploit stolen corporate and personal information through public leak sites, private resale, or repeated extortion attempts against affected organizations. This evolution would transform incidents into complex, multi-stage intrusions that require organizations to focus not only on backup and recovery but also on continuous monitoring, network segmentation, identity protection, data loss prevention, and comprehensive incident response planning to minimize operational and financial impact.

Sigma rules:
title: Shadow Copies Deletion Using Operating Systems Utilities tags:
– attack.impact
– attack.stealth
– attack.t1070
– attack.t1490 logsource:
category: process_creation product: windows
detection: selection1_img:
– Image|endswith:
– ‘\powershell.exe’
– ‘\pwsh.exe’
– ‘\wmic.exe’
– ‘\vssadmin.exe’
– ‘\diskshadow.exe’
– OriginalFileName:
– ‘PowerShell.EXE’
– ‘pwsh.dll’
– ‘wmic.exe’
– ‘VSSADMIN.EXE’
– ‘diskshadow.exe’ selection1_cli:
CommandLine|contains|all:
– ‘shadow’ # will match “delete shadows” and “shadowcopy delete” and “shadowstorage”
– ‘delete’ selection2_img:
– Image|endswith: ‘\wbadmin.exe’
– OriginalFileName: ‘WBADMIN.EXE’ selection2_cli:
CommandLine|contains|all:
– ‘delete’
– ‘catalog’
– ‘quiet’ # will match -quiet or /quiet selection3_img:
– Image|endswith: ‘\vssadmin.exe’
– OriginalFileName: ‘VSSADMIN.EXE’ selection3_cli:
CommandLine|contains|all:
– ‘resize’
– ‘shadowstorage’ CommandLine|contains:
– ‘unbounded’
– ‘/MaxSize=’
condition: (all of selection1*) or (all of selection2*) or (all of selection3*) falsepositives:
– Legitimate Administrator deletes Shadow Copies using operating systems utilities for legitimate reason
– LANDesk LDClient Ivanti-PSModule (PS EncodedCommand) level: high
(Source: Surface Web)

IOCs:
Kindly refer to the IOCs section to exercise control of your security systems. (Source: Surface Web)

RECOMMENDATIONS

STRATEGIC RECOMMENDATIONS

  • Implement competent security protocols and encryption, authentication, or access credentials configurations to access critical systems in your cloud and local environments.
  • Ensure that backups of critical systems are maintained, which can be used to restore data in case a need arises.

MANAGEMENT RECOMMENDATIONS

  • A data breach prevention plan must be developed considering (a) the type of data being managed by the company; (b) the remediation process; (c) where and how the data is stored; (d) if there is an obligation to notify the local authority.
  • Implement a zero-trust security model alongside multifactor authentication (MFA) to reduce the risk of credential compromise.
  • Foster a culture of cybersecurity, where you encourage and invest in employee training so that security is an integral part of your organization.

TACTICAL RECOMMENDATIONS

  • Update all applications/software regularly with the latest versions and security patches alike.
  • Add the Sigma rule for threat detection and monitoring, which will help to detect anomalies in log events and identify and monitor suspicious activities.
  • Establish and implement protective controls by actively monitoring and blocking identified indicators of compromise (IoCs) and reinforcing defensive measures based on the provided tactical intelligence.

Active Malware of the Week

Type: Information Stealer |Objectives: Credential Theft/ Data Exfiltration | Target Technology: Windows| Target Geography: Global

CYFIRMA collects data from various forums based on which the trend is ascertained. We identified a few popular malwares that were found to be distributed in the wild to launch cyberattacks on organizations or individuals.

Active Malware of the week
This week, “LuvswagStealer” is in focus.

Overview of Operation LuvswagStealer Malware
LuvswagStealer is a Windows-based information-stealing malware designed to covertly collect sensitive information from compromised systems while employing multiple defense evasion and persistence mechanisms to maintain long-term access. The malware combines credential theft, system reconnaissance, user activity monitoring, and command-and-control (C2) communication within a single payload, enabling threat actors to harvest valuable information and facilitate subsequent stages of an intrusion. Its broad range of capabilities makes it a significant threat to both individual users and enterprise environments.

During execution, the malware performs extensive reconnaissance to profile the infected host by gathering system information, enumerating running processes, identifying installed software, querying registry settings, and collecting user-specific details. It also incorporates multiple anti-analysis techniques, including debugger detection, virtual machine identification, execution delay checks, code obfuscation, and software packing, evading automated analysis environments and hindering reverse engineering efforts. These mechanisms significantly improve their ability to remain concealed throughout the infection lifecycle.

To establish persistence and execute malicious operations discreetly, the malware modifies Windows Registry entries associated with startup execution and leverages process injection to execute malicious code within legitimate processes. Additionally, it employs registry manipulation, obfuscated code, and security control impairment techniques to reduce its visibility and complicate forensic investigations. These capabilities enable the malware to maintain persistent access while blending with legitimate system activity.

Once active, the malware communicates with remote command-and-control (C2) infrastructure using standard application-layer protocols to transmit stolen information and receive additional instructions. Its data collection capabilities include keystroke logging, clipboard monitoring, screenshot capture, audio recording, and the theft of locally stored data. The combination of comprehensive information theft, stealth techniques, persistence mechanisms, and resilient C2 communication demonstrates a mature and capable threat, reinforcing the need for layered security controls, continuous behavioral monitoring, and timely incident response to minimize organizational risk.

Attack Method
The infection begins when the malicious executable is launched on a Windows system, after which it initializes the required Windows libraries and validates the execution environment before activating its core functionality. The malware performs multiple anti-analysis checks, including debugger detection, virtual machine identification, and execution timing validation using functions such as GetTickCount. It also employs software packing, stack-string obfuscation, and encoded data to conceal its functionality, making static analysis and automated sandbox detection significantly more difficult.

After successful execution, the malware performs extensive host reconnaissance to build a profile of the compromised system. It enumerates running processes, installed software, registry keys, system configuration, network settings, user information, keyboard layout, and file system contents. Additional discovery routines identify analysis tools and virtualized environments while inspecting Portable Executable (PE) sections and memory permissions to determine whether the sample is executing within a monitored environment. This reconnaissance enables the malware to tailor its execution and avoid exposing its full capabilities when analysis is suspected.

To establish persistence and evade security mechanisms, the malware modifies Windows Registry entries associated with startup execution and Winlogon-related registry locations. It can inject code into legitimate processes, creating and managing threads, suspending or resuming execution, and terminating selected processes. The malware further manipulates registry values, performs self-deletion when required, and attempts to impair defensive controls. Runtime API resolution, COMSPEC environment variable usage, and extensive Windows API interactions reduce its static footprint while increasing execution flexibility across different Windows environments.

Following successful persistence, malware activates its information-stealing capabilities and establishes outbound communication with its command-and-control infrastructure over HTTP and TCP using the WinINet and Winsock APIs. It resolves remote domains, creates network requests, exchanges data with external servers, and supports bidirectional communication for tasking. Simultaneously, it captures keystrokes through application hooks and polling techniques, monitors clipboard contents, records screenshots and microphone audio, collects files and stored information, and encrypts or encodes harvested data using algorithms such as RC4, Base64, XOR, and DPAPI before transmitting the stolen information to remote operators. This combination of stealth, reconnaissance, persistence, credential harvesting, and encrypted data exfiltration enables the malware to operate effectively while minimizing the likelihood of detection.

The following are the TTPs based on the MITRE ATT&CK Framework for Enterprises

TacticTechnique IDTechnique Name
ExecutionT1059Command and Scripting Interpreter
T1129Shared Modules
PersistenceT1112Modify Registry
T1547Boot or Logon Autostart Execution
Privilege EscalationT1055Process Injection
StealthT1027Obfuscated Files or Information
T1027.002Obfuscated Files or Information: Software Packing
T1070Indicator Removal
T1140Deobfuscate/Decode Files or Information
T1497 Virtualization/Sandbox Evasion
Credential AccessT1056Input Capture
DiscoveryT1010Application Window Discovery
T1012Query Registry
T1016 System Network Configuration Discovery
T1033System Owner/User Discovery
T1057Process Discovery
T1518.001Software Discovery: Security Software Discovery
T1082System Information Discovery
T1083File and Directory Discovery
T1087Account Discovery
T1518Software Discovery
T1614System Location Discovery
CollectionT1005Data from Local System
T1213Data from Information Repositories
Command and controlT1071Application Layer Protocol

INSIGHTS

  • The capabilities exhibited by this malware indicate a clear emphasis on collecting a broad spectrum of user and system information rather than focusing on a single category of data. By combining credential theft, clipboard monitoring, screenshot capture, and system profiling within a single payload, the threat can provide operators with a comprehensive view of an infected environment. This multi-faceted approach increases the overall value of each compromise and allows the malware to support a variety of malicious objectives without requiring additional payloads.
  • Another notable characteristic is the balance between stealth and functionality. The malware integrates numerous concealment techniques while maintaining an extensive set of data collection features, suggesting that avoiding detection is considered equally important as harvesting information. Instead of relying on aggressive or disruptive behavior, it operates quietly in the background, enabling prolonged access to compromised systems and reducing the likelihood of attracting immediate attention from end users.
  • The malware also reflects the growing trend of modular information stealers that consolidate several capabilities into a single executable. Rather than specializing in one form of data theft, it incorporates features that target user activity, locally stored information, and system intelligence simultaneously. This level of versatility allows a single infection to generate diverse intelligence for threat actors, increasing the operational value of compromised hosts while minimizing the need for deploying multiple malware families during an intrusion.

ETLM ASSESSMENT
ETLM prospects indicate that information-stealing malware is likely to remain a persistent threat as organizations continue expanding their digital ecosystems and employees increasingly rely on cloud services, remote connectivity, and interconnected business applications. Future campaigns are expected to place greater emphasis on harvesting identities and organizational information that can be leveraged for financial fraud, unauthorized access, and follow-on cyber intrusions. As a result, enterprises may face heightened risks of data exposure, operational disruption, and reputational damage, while employees could become more frequent targets of identity theft, account compromise, and highly personalized social engineering attacks driven by previously stolen information.

IOCs:
Kindly refer to the IOCs Section to exercise controls on your security systems. (Source: Surface Web)

YARA Rules
rule LuvswagStealer_Detection
{
meta:
description = “Detects LuvswagStealer based on unique strings and known SHA-256 hash”
author = “CYFIRMA” date = “2026-06-30”
malware_family = “LuvswagStealer”

strings:
/* Known SHA-256 */
$hash = “b45bbb0582aa658722616257d7cde23eb98430a2f31dbac3de596365122a642f”

/* Network Indicators */
$s1 = “discord.com”
$s2 = “https://discord.com/api/v10/users/”
$s3 = “ip-api.com”
$s4 = “http://ip-api.com/line/?fields=country”

/* Anti-analysis */
$s5 = “CheckRemoteDebuggerPresent”
$s6 = “WudfIsAnyDebuggerPresent”
$s7 = “GetTickCount”
$s8 = “VMware”
$s9 = “VirtualBox”

/* Persistence */
$s10 = “Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders”
$s11 = “Software\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags”

/* Crypto / Encoding */
$s12 = “RC4”
$s13 = “Base64”

condition:
uint16(0) == 0x5A4D and (
$hash or 6 of ($s*)
)
}

Recommendations

Strategic Recommendations

  • Adopt a defense-in-depth security strategy by integrating endpoint protection, network monitoring, email security, and identity protection solutions.
  • Establish a continuous threat intelligence program to monitor emerging information-stealing malware families, indicators of compromise (IOCs), and attacker tactics.
  • Implement a Zero Trust security model that enforces least-privilege access, continuous authentication, and strict access controls across enterprise resources.
  • Conduct periodic cybersecurity awareness training to educate employees on phishing, malicious downloads, and social engineering techniques commonly used to distribute malware.
  • Maintain and regularly test incident response and business continuity plans to ensure rapid containment and recovery from malware-related incidents.

Management Recommendations

  • Enforce organization-wide policies requiring multi-factor authentication (MFA) for all critical systems, cloud services, and privileged accounts.
  • Ensure operating systems, browsers, and third-party applications are updated through a structured vulnerability and patch management program.
  • Restrict administrative privileges and regularly review user permissions to minimize unauthorized access and privilege misuse.
  • Implement secure backup policies with offline or immutable backups and periodically validate restoration procedures.
  • Monitor compliance with endpoint security policies through regular security audits and risk assessments.

Tactical Recommendations

  • Deploy Endpoint Detection and Response (EDR) solutions capable of detecting process injection, registry modifications, and abnormal process behavior.
  • Monitor outbound connections to detect unauthorized communication with suspicious domains, IP addresses, and command-and-control (C2) infrastructure.
  • Block execution of untrusted binaries and scripts using application allowlisting technologies such as Windows Defender Application Control (WDAC) or AppLocker.
  • Configure detection rules to monitor persistence mechanisms, including registry Run keys, Winlogon modifications, scheduled tasks, and startup folder changes.
  • Continuously monitor for suspicious use of Windows APIs associated with credential theft, clipboard access, screen capture, and anti-analysis techniques, and investigate any anomalous endpoint behavior promptly.

CYFIRMA’s Weekly Insights

1. Weekly Attack Types and Trends

Key Intelligence Signals:

  • Attack Type: Ransomware Attacks, Vulnerabilities & Exploits, Data Leaks.
  • Objective: Unauthorized Access, Data Theft, Data Encryption, Financial Gains, Espionage.
  • Business Impact: Data Loss, Financial Loss, Reputational Damage, Loss of Intellectual Property, Operational Disruption.
  • Ransomware – Stormous Ransomware, The Gentlemen Ransomware| Malware – luvswagStealer
  • Stormous Ransomware– One of the ransomware groups.
  • The Gentlemen Ransomware – One of the ransomware groups.
    Please refer to the trending malware advisory for details on the following:
  • Malware – luvswagStealer
    Behavior – Most of these malwares use phishing and social engineering techniques as their initial attack vectors. Apart from these techniques, exploitation of vulnerabilities, defense evasion, and persistence tactics are being observed.

2. Threat Actor in Focus

Turla: Evolving State-Aligned Cyber-Espionage Operations

  • Threat Actor: Turla Group
  • Attack Type: AiTM, Connection Proxy, Credential Dumping, Vulnerabilities and Exploits, Malware Implant.
  • Suspected Target Technology: Office Suites Software, Operating System, Web Application, Windows.
  • Suspected Target Geography: Belarus, France, Germany, India, Iran, Iraq, Italy, Kazakhstan, Netherlands, Poland, Romania, Russia, Russian Federation, Saudi Arabia, Switzerland, Tajikistan, Ukraine, United States, Uzbekistan.
  • Suspected Target Industries: Aerospace & Defense, Capital Goods, Defense, Government, Military, and critical infrastructure.
  • Business Impact: Data Theft, Operational Disruption, Reputational Damage.

About the Threat Actor
Turla is a Russia-linked advanced persistent threat (APT) group that has been active since at least 2008 and is widely assessed to conduct long-term cyber espionage operations in support of Russian strategic intelligence objectives. The threat actor is known for targeting government institutions, diplomatic entities, military organizations, and other high-value networks to obtain sensitive political, military, and strategic intelligence. The threat actor employs sophisticated malware, covert persistence mechanisms, and encrypted command-and-control (C2) infrastructure to maintain long-term access while minimizing detection. The group has demonstrated advanced operational security practices, including the use of custom toolsets, stealthy surveillance techniques, and encrypted communications, making attribution and analysis particularly challenging. The threat actor continues to refine its tradecraft and remains one of the most capable and persistent state-sponsored cyber espionage groups.

Details on Exploited Vulnerabilities

TTPs based on MITRE ATT&CK Framework

TacticIDTechnique
Resource DevelopmentT1587.001Develop Capabilities: Malware
Resource DevelopmentT1583.006Acquire Infrastructure: Web Services
Resource DevelopmentT1584.003Compromise Infrastructure: Virtual Private Server
Resource DevelopmentT1584.004Compromise Infrastructure: Server
Resource DevelopmentT1584.006Compromise Infrastructure: Web Services
Resource DevelopmentT1588.002Obtain Capabilities: Tool
Resource DevelopmentT1588.001Obtain Capabilities: Malware
Initial AccessT1189Drive-by Compromise
Initial AccessT1078.003Valid Accounts: Local Accounts
Initial AccessT1566.002Phishing: Spear-phishing Link
Execution T1106 Native API
Execution T1204.001 User Execution: Malicious Link
Execution T1059.003Command and Scripting Interpreter: Windows Command Shell
Execution T1059.006 Command and Scripting Interpreter: Python
Execution T1059.007 Command and Scripting Interpreter: JavaScript
Execution T1059.005Command and Scripting Interpreter: Visual Basic
Persistence T1078.003 Valid Accounts: Local Accounts
Persistence T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
Persistence T1547.004 Boot or Logon Autostart Execution: Winlogon Helper DLL
Persistence T1112 Modify Registry
Persistence T1546.003Event Triggered Execution: Windows Management Instrumentation Event Subscription
Persistence T1546.013 Event Triggered Execution: PowerShell Profile
Privilege Escalation T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
Privilege Escalation T1547.004 Boot or Logon Autostart Execution: Winlogon Helper DLL
Privilege Escalation T1078.003 Valid Accounts: Local Accounts
Privilege Escalation T1546.003Event Triggered Execution: Windows Management Instrumentation Event Subscription
Privilege Escalation T1546.013 Event Triggered Execution: PowerShell Profile
Privilege Escalation T1068 Exploitation for Privilege Escalation
Privilege Escalation T1055 Process Injection
Privilege Escalation T1055.001 Process Injection: Dynamic-link Library Injection
Privilege Escalation T1134.002 Access Token Manipulation: Create Process with Token
Stealth T1078.003 Valid Accounts: Local Accounts
Stealth T1134.002 Access Token Manipulation: Create Process with Token
Stealth T1140 Deobfuscate/Decode Files or Information
Stealth T1564.012 Hide Artifacts: File/Path Exclusions
Stealth T1036.005 Masquerading: Match Legitimate Resource Name or Location
Stealth T1055.001 Process Injection: Dynamic-link Library Injection
Stealth T1055 Process Injection
Stealth T1027.005 Obfuscated Files or Information: Indicator Removal from Tools
Stealth T1027.010 Obfuscated Files or Information: Command Obfuscation
Stealth T1027.011 Obfuscated Files or Information: Fileless Storage
Defense Impairment T1112 Modify Registry
Defense Impairment T1685 Disable or Modify Tools
Defense Impairment T1553.006 Subvert Trust Controls: Code Signing Policy Modification
Credential Access T1110 Brute Force
Credential Access T1555.004 Credentials from Password Stores: Windows Credential Manager
Discovery T1083 File and Directory Discovery
Discovery T1615 Group Policy Discovery
Discovery T1201 Password Policy Discovery
Discovery T1120 Peripheral Device Discovery
Discovery T1069.001 Permission Groups Discovery: Local Groups
Discovery T1069.002 Permission Groups Discovery: Domain Groups
Discovery T1057 Process Discovery
Discovery T1018 Remote System Discovery
Discovery T1087.001 Account Discovery: Local Account
Discovery T1087.002 Account Discovery: Domain Account
Discovery T1518.001 Software Discovery: Security Software Discovery
Discovery T1007 System Service Discovery
Discovery T1082 System Information Discovery
Discovery T1012 Query Registry
DiscoveryT1016System Network Configuration Discovery
DiscoveryT1016.001System Network Configuration Discovery: Internet Connection Discovery
DiscoveryT1049System Network Connections Discovery
DiscoveryT1124System Time Discovery
Lateral MovementT1021.002Remote Services: SMB/Windows Admin Shares
Lateral MovementT1570Lateral Tool Transfer
CollectionT1213.006Data from Information Repositories: Databases
CollectionT1025Data from Removable Media
CollectionT1560.001Archive Collected Data: Archive via Utility
CollectionT1005Data from Local System
Command and ControlT1071.001Application Layer Protocol: Web Protocols
Command and ControlT1071.003Application Layer Protocol: Mail Protocols
Command and ControlT1090Proxy
Command and ControlT1090.001Proxy: Internal Proxy
Command and ControlT1105Ingress Tool Transfer
Command and ControlT1102Web Service
Command and ControlT1102.002Web Service: Bidirectional Communication
ExfiltrationT1567.002Exfiltration Over Web Service: Exfiltration to Cloud Storage

Latest Developments Observed
The threat actor is suspected of leveraging the STOCKSTAY backdoor to target government entities, Western Ministries of Foreign Affairs, and defense organizations in Ukraine and Italy amid heightened geopolitical tensions. The activity is assessed to be primarily intelligence-driven, with objectives centered on strategic espionage, information collection, and long-term access to sensitive government and defense networks.

ETLM Insights
Turla is assessed as a Russia-linked state-sponsored advanced persistent threat (APT) group primarily engaged in cyber espionage activities supporting strategic intelligence collection objectives. The threat actor demonstrates a mature and highly disciplined operational tradecraft that emphasizes stealth, long-term persistence, and covert intelligence gathering, enabling sustained access to strategically significant environments while minimizing operational visibility.

Operationally, the threat actor employs sophisticated intrusion methodologies centered on custom malware, trusted system components, encrypted command-and-control infrastructure, and covert persistence mechanisms to establish and maintain long-term access. Its tradecraft reflects a strong focus on operational security, adaptive intrusion techniques, and intelligence-driven operations designed to support prolonged information collection while limiting detection opportunities.

Looking ahead, the threat actor is expected to continue refining its espionage capabilities by advancing stealth-oriented intrusion techniques, enhancing operational resilience, and evolving its custom toolsets to adapt to modern defensive controls. This evolving operational model positions the group as a persistent strategic cyber espionage threat, creating sustained exposure for organizations responsible for sensitive government, diplomatic, defense, and national security information.

IOCs:
Kindly refer to the IOCs section to exercise control of your security systems (Surface-web).

YARA Rules
rule IOC_Threat_Hunting_Generic
{
meta:
author = “CYFIRMA”
description = “Detects samples containing observed IOC strings” date = “2026-06-30”
version = “1.0” tlp = “TLP:CLEAR”

strings:
/* Filenames */
$f1 = “spoolsvs.exe” ascii nocase
$f2 = “mtathreadattribute.exe” ascii nocase
$f3 = “rastlsc.exe” ascii nocase
$f4 = “elf” ascii

/* SHA256 */
$sha1 = “d21908dc0c08da389aa9e4829aa934ab7f250fece1430ed5a644e0590d8876f7” ascii nocase

/* Domains */
$d1 = “event.target” ascii nocase
$d2 = “securityonline.info” ascii nocase
$d3 = “networklookout.com” ascii nocase
$d4 = “lab52.io” ascii nocase
$d5 = “kav-certificates.info” ascii nocase

/* IP Addresses */
$ip1 = “209.97.171.8” ascii
$ip2 = “209.126.11.251” ascii
$ip3 = “176.57.184.97” ascii
$ip4 = “173.212.252.2” ascii
$ip5 = “167.86.118.69” ascii

/* CVE References */
$cve1 = “CVE-2020-5902” ascii
$cve2 = “CVE-2018-15982” ascii
$cve3 = “CVE-2018-20250” ascii
$cve4 = “CVE-2023-34362” ascii
$cve5 = “CVE-2015-3113” ascii
condition:
uint16(0) == 0x5A4D and 3 of ($f*) and
2 of ($d*,$ip*)
}

Recommendations

Strategic Recommendations

  • Incorporate Digital Risk Protection (DRP) as part of the overall security posture to proactively defend against impersonations and phishing attacks.
  • Assess and deploy alternatives for an advanced endpoint protection solution that provides detection/prevention for malware and malicious activities that do not rely on signature-based detection methods.
  • Block exploit-like behaviour. Monitor endpoints memory to find behavioural patterns that are typically exploited, including unusual process handle requests. These patterns are features of most exploits, whether known or new. This will be able to provide effective protection against zero-day/critical exploits and more by identifying such patterns.

Management Recommendations

  • Invest in user education and implement standard operating procedures for the handling of financial and sensitive data transactions commonly targeted by impersonation attacks. Reinforce this training with context-aware banners and in-line prompts to help educate users.
  • Develop a cyber threat remediation program and encourage employee training to detect anomalies proactively.

Tactical Recommendations

  • For better protection coverage against email attacks (like spear phishing, business email compromise, or credential phishing attacks), organizations should augment built-in email security with layers that take a materially different approach to threat detection.
  • Protect accounts with multi-factor authentication. Exercise caution when opening email attachments or clicking on embedded links supplied via email communications, SMS, or messaging.
  • Apply security measures to detect unauthorized activities and protect sensitive production and process control systems from cyberattacks.
  • Add the YARA rules for threat detection and monitoring, which will help to detect anomalies in log events and identify and monitor suspicious activities.
  • Build and undertake safeguarding measures by monitoring/ blocking the IOCs and strengthening defence based on the tactical intelligence provided.

3. Major Geopolitical Developments in Cybersecurity

Chinese hackers target critical infrastructure across Southeast Asia
Researchers are tracking a cluster of threat activity carried out by Chinese-speaking actors targeting critical infrastructure across Southeast Asia. Researchers have linked the group to previous attacks on web hosting infrastructure in Taiwan. According to one of the research groups, their latest campaign demonstrates a sustained, long-term focus on the Asia-Pacific region. In the most recent wave of attacks, the group shifted focus to the energy sector and government organizations. They deployed a newly identified Trojan called TinyRCT – a lightweight, custom backdoor written in C#.

ETLM Assessment:
As previously noted in CYFIRMA reports like this one, China’s cyber operations have evolved from economic espionage to strategic, politically driven campaigns that pose significant threats to Western critical infrastructure and global security. The Salt Typhoon and Volt Typhoon campaigns highlight this transformation; the former penetrated telecommunications networks in over 80 countries, accessing vast communications and geolocation data, and the latter embedded malware in U.S. critical infrastructure sectors like energy, transportation, and water systems. As China’s cyber capabilities grow more sophisticated and disruptive, rival nations must confront the reality of a new threat landscape, where digital vulnerabilities could reshape geopolitical outcomes and challenge the resilience of open societies.

FBI warns on Russian phishing attacks targeting messaging apps
The US FBI and CISA have updated their previous public service announcement, warning that Russian intelligence services are targeting Signal and other commercial messaging apps. The threat actors are now specifically going after Backup Recovery Keys through phishing attacks. These operations do not exploit any vulnerabilities in the messaging apps themselves. The campaign has primarily targeted current and former

U.S. and international government officials, military personnel, political figures, journalists, and key officials located in Ukraine. According to the advisory, if a victim inadvertently shares their Backup Recovery Key, that same key remains valid even if they later create a new account using the same phone number. This means the actor could potentially use the compromised key to take over the new account in the future.

ETLM Assessment:
As previously noted by CYFIRMA the goal of the Russian state-backed hackers in this large-scale global cyber campaign is to gain unauthorized access to Signal and WhatsApp accounts belonging to high-value targets such as dignitaries, government officials, civil servants, military personnel, and potentially journalists or others of interest to the Russian government – including confirmed victims among Dutch and USA government employees – in order to conduct espionage by secretly reading private messages, monitoring communications, and eavesdropping on group chats without needing to break the apps’ end-to-end encryption. Thus, enabling surveillance of sensitive discussions related to national security, policy, or other strategic information valuable to Russian state interests.

4. Rise in Malware/Ransomware and Phishing

Stormous Ransomware Impacts a Chemical & Pharmaceutical Distribution Company from Japan

  • Attack Type: Ransomware
  • Target Industry: Chemical & Pharmaceutical Distribution
  • Target Geography: Japan
  • Ransomware: Stormous Ransomware
  • Objective: Data Theft, Data Encryption, Financial Gains
  • Business Impact: Financial Loss, Data Loss, Reputational Damage

Summary:
CYFIRMA observed on a ransomware data leak site (DLS) on the dark web that a company from Japan was compromised by Stormous Ransomware. The compromised company is a long-established Japanese trading company specialising in the distribution of specialty chemicals, pharmaceutical ingredients, industrial materials, food ingredients, and analytical equipment. Based on the information shown in the image, the ransomware operators claim to have compromised a broad range of financial and corporate business data belonging to the organization. The allegedly stolen data includes comprehensive financial statements, such as balance sheets, asset records, liabilities, capital information, accounts receivable (A/R), and accounts payable (A/P). At the time of the posting, the leak was marked as “Pending,” indicating that the attackers were claiming possession of the data and had not yet publicly released it.

Source: Dark Web

Relevancy & Insights:

  • Stormous Ransomware is a financially motivated cybercriminal group that operates a dedicated data leak site to extort victims by threatening to publish stolen data unless a ransom is paid.
  • The Stormous Ransomware group primarily targets countries such as the United States of America, Italy, Turkey, France, and the United Kingdom.
  • The Stormous Ransomware group primarily targets industries, including Retail – E-Commerce & Direct-to-Consumer, Enterprise Software & Applications. Textile & Apparel, Systems Integration & IT Solutions, and IT Services.
  • Based on the Stormous Ransomware victims list from 1st Jan 2025 to 30th June 2026, the top 5 Target Countries are as follows:
  • The Top 10 Industries most affected by the Stormous Ransomware group victims list from 1st Jan 2025 to 30th June 2026 are as follows:

ETLM Assessment:
According to CYFIRMA’s assessment, Stormous represents a persistent financially motivated ransomware and data extortion threat that combines data theft with public leak-site extortion to maximize pressure on victims. Although the group has made numerous high-profile claims, its continued targeting of organizations across critical sectors highlights the importance of robust identity security, continuous network monitoring, timely vulnerability remediation, and effective data loss prevention measures to detect, contain, and mitigate potential ransomware and extortion attacks.

The Gentlemen Ransomware Impacts a Diversified Conglomerate Company from Kuwait

  • Attack Type: Ransomware
  • Target Industry: Diversified Conglomerate
  • Target Geography: Kuwait
  • Ransomware: The Gentlemen Ransomware
  • Objective: Data Theft, Data Encryption, Financial Gains
  • Business Impact: Financial Loss, Data Loss, Reputational Damage

Summary: CYFIRMA observed on a ransomware data leak site (DLS) in the dark web that a company from Kuwait was compromised by The Gentlemen Ransomware. The compromised company is a diversified group of companies with a portfolio spanning high-growth and high-impact industries across the GCC region. Their extensive operations encompass a wide range of sectors, including engineering, architectural solutions, hospitality, food & beverage, logistics, healthcare, and venture capital. The group is committed to delivering integrated, end-to-end services while fostering long-term sustainable growth across all its businesses. The data, which has been breached, has not yet appeared on the leak site, indicating that negotiations between the affected party and the ransomware group may be underway. The compromised data includes confidential and sensitive information belonging to the organization.

Source: Dark Web

Relevancy & Insights:

  • The Gentlemen is a relatively highly sophisticated ransomware-as-a-service (RaaS) group that emerged in mid-2025.
  • The Gentlemen Ransomware group primarily targets countries such as the United States of America, Thailand, France, Brazil, and India.
  • The Gentlemen Ransomware group primarily targets industries, including Manufacturing. Professional Goods & Services, Consumer Goods & Services, Healthcare, and Information Technology.
  • Based on the Gentlemen Ransomware victims list from 1st Jan 2025 to 30th June 2026, the top 5 Target Countries are as follows:
  • The Top 10 Industries most affected by the Gentlemen Ransomware victims list from 1st Jan 2025 to 30th June 2026 are as follows:

ETLM Assessment:
According to CYFIRMA’s assessment, the Gentlemen Ransomware is a highly adaptive and globally active threat that leverages dual-extortion tactics, combining data theft with file encryption. The group employs advanced evasion and persistence techniques, supports cross-platform and scalable ransomware deployment, and conducts targeted attacks across multiple industries and geographic regions. This combination of capabilities makes it a significant risk to enterprise cybersecurity defenses, particularly for organizations with limited detection and incident-response maturity.

5. Vulnerabilities and Exploits

Vulnerability in Autodesk Fusion 360

  • Attack Type: Vulnerabilities & Exploits
  • Target Technology: Computer-Aided Design (CAD) / Product Design and Manufacturing Software
  • Vulnerability: CVE-2026-10789
  • CVSS Base Score: 9.6 Source
  • Vulnerability Type: Improper Access Control
  • Summary: The vulnerability allows a remote attacker to execute arbitrary code

Relevancy & Insights:
The vulnerability exists due to improper access control in the MCP extension when processing a maliciously crafted webpage visited by a user while Autodesk Fusion Desktop is running.

Impact:
A remote attacker can cause the user to visit a maliciously crafted webpage to execute arbitrary code.
Exploitation requires the MCP extension to be enabled, and user interaction is required.

Affected Products:
https[:]//www[.]Autodesk[.]com/trust/security-advisories/adsk-sa-2026-0008

Recommendations:
Monitoring and Detection: Implement monitoring and detection mechanisms to identify unusual system behavior that might indicate an attempted exploitation of this vulnerability.

TOP 5 AFFECTED TECHNOLOGIES OF THE WEEK
This week, CYFIRMA researchers have observed significant impacts on various technologies due to a range of vulnerabilities. The following are the top 5 most affected technologies.

ETLM Assessment
Vulnerability in Autodesk Fusion 360 introduces significant risks to organizations that rely on computer-aided design (CAD), engineering, and manufacturing software for product development and collaborative design workflows. As Autodesk Fusion 360 is widely used by engineers, designers, and manufacturing teams to design, simulate, manufacture, and manage product lifecycles, exploitation of this vulnerability could allow attackers to execute arbitrary code and compromise engineering workstations or sensitive design environments. A successful attack against affected systems may result in unauthorized access to valuable intellectual property, disruption of engineering operations, compromise of product design workflows, and increased risk of lateral movement across enterprise networks. Organizations leveraging Autodesk Fusion 360 must ensure timely patching, continuously monitor engineering endpoints, and implement secure configuration practices to mitigate the risk of exploitation. Addressing this vulnerability is essential to maintaining the confidentiality, integrity, and availability of engineering assets, product design data, and enterprise manufacturing environments.

6. Latest Cyber-Attacks, Incidents, and Breaches

DragonForce Ransomware attacked and published the data of a Manufacturing company from Japan

  • Threat Actor: DragonForce Ransomware
  • Attack Type: Ransomware
  • Objective: Data Leak, Financial Gains
  • Target Technology: Web Applications
  • Target Industry: Manufacturing
  • Target Geography: Japan
  • Business Impact: Operational Disruption, Data Loss, Financial Loss, Potential Reputational Damage

Summary:
Recently, we observed that DragonForce Ransomware attacked and published the data of a Manufacturing company from Japan on its dark web website. The Compromised company is a Japanese manufacturer specializing in the design and production of safety valves, relief valves, and pressure control equipment for industrial applications. Established in 1952, the company has decades of experience developing high-performance valve technologies for critical pressure systems across various industries. Based on the information shown in the image, the ransomware operators claim to have exfiltrated approximately 28.11 GB of corporate data. The compromised information reportedly includes a comprehensive corporate overview, encompassing official company profiles, technical catalogs, industrial registration documents, and other business-related records. The leak notice also indicates that published files are available, suggesting that the stolen dataset may contain additional internal documentation, operational records, technical materials, and proprietary business information.

Source: Dark Web

Relevancy & Insights:

  • DragonForce Ransomware poses a significant threat as a mature Ransomware-as-a-Service (RaaS) operation active since mid-2023, employing sophisticated double-extortion tactics across Windows, Linux, ESXi, and NAS environments.
  • The DragonForce Ransomware group primarily targets industries, such as Professional Goods & Services, Consumer Goods & Services, Manufacturing, Real Estate & Construction, and Information Technology.

ETLM Assessment:
According to CYFIRMA’s assessment, DragonForce represents a significant threat in the ransomware landscape due to its advanced operational methods and extensive use of modified ransomware tools. As it continues to target high-profile organizations globally, ongoing vigilance and proactive cybersecurity strategies will be essential for mitigating risks associated with this formidable threat actor. Organizations should remain alert to the evolving tactics employed by groups like DragonForce to protect their sensitive data and maintain operational integrity.

7. Data Leaks

Unauthorised Firewall Access Advertised on a Leak Site

  • Attack Type: Access Sale
  • Target Industry: Financial Technology
  • Target Geography: United Arab Emirates (UAE)
  • Objective: Financial Gain
  • Business Impact: Unauthorized Administrative Access, Network Compromise, Data Theft, Operational Disruption, Regulatory Compliance Risks, Financial Loss, and Reputational Damage.

Summary:
The CYFIRMA research team identified a post on a dark web forum advertising the sale of alleged privileged access to an organization’s firewall infrastructure operating within the financial technology sector in the United Arab Emirates. According to the advertisement, the offered access includes a Linux-based firewall with root-level remote code execution (RCE) and shell access, enabling a buyer to obtain administrative control over the exposed system. The seller claims the access is available for a fixed price 400$ and is intended exclusively for serious buyers, with further communication facilitated through an encrypted messaging platform. No additional information regarding the organization’s size, revenue, or internal environment is disclosed in the advertisement.

Based on the information presented in the forum post, the advertised access may provide the following capabilities:

  • Root-level administrative privileges.
  • Remote code execution (RCE) on the firewall appliance.
  • Interactive shell access to the operating system.
  • Ability to modify firewall rules and security policies.
  • Potential to establish persistent access mechanisms.
  • Network reconnaissance and mapping of internal infrastructure.
  • Lateral movement into connected systems and servers.
  • Deployment of malware, ransomware, or other malicious payloads.
  • Traffic interception, monitoring, or redirection.
  • Disabling or bypassing existing security controls.
  • Creation of additional privileged accounts or backdoors.
  • Facilitation of follow-on attacks against enterprise assets.

If the advertised access is genuine, attackers could leverage the compromised firewall as an entry point to gain broader access to the organization’s internal environment. Such access may enable credential theft, unauthorized data exfiltration, deployment of ransomware, disruption of business operations, manipulation of network security policies, and compromise of sensitive financial systems. Because firewalls typically serve as critical perimeter security devices, their compromise can significantly weaken an organization’s overall security posture and increase the likelihood of further attacks across connected infrastructure.

The authenticity of the advertised access remains unverified at the time of reporting. The assessment is based solely on information published in a dark web forum advertisement, and no independent verification has confirmed that the claimed access is legitimate or currently active.

Source: Underground Forums

Relevancy & Insights:
Financially motivated cybercriminals are continuously looking for exposed and vulnerable systems and applications to exploit. A significant number of these malicious actors congregate within underground forums, where they discuss cybercrime and trade stolen digital assets. Operating discreetly, these opportunistic attackers target unpatched systems or vulnerabilities in applications to gain access and steal valuable data. Subsequently, the stolen data is advertised for sale within underground markets, where it can be acquired, repurposed, and utilized by other malicious actors in further illicit activities.

ETLM Assessment:
The threat actor known is assessed to be a recently emerged but highly active and capable entity, primarily engaged in data-leak operations. The group’s activity highlights the persistent and fast-evolving cyber threat landscape, driven by underground criminal ecosystems. This development underscores the urgent need for organizations to reinforce their cybersecurity posture through continuous monitoring, improved threat intelligence capabilities, and proactive defensive strategies to protect sensitive information and critical infrastructure.

Recommendations: Enhance the cybersecurity posture by:

  1. Updating all software products to their latest versions is essential to mitigate the risk of vulnerabilities being exploited.
  2. Ensure proper database configuration to mitigate the risk of database-related attacks.
  3. Establish robust password management policies, incorporating multi-factor authentication and role-based access to fortify credential security and prevent unauthorized access.

8. Other Observations

The CYFIRMA research team identified a post on a dark web forum advertising the alleged sale of a customer database belonging to a digital veterinary care platform operating in Singapore. According to the forum advertisement, the seller claims the dataset contains information relating to approximately 28,641 users. The post states that the data originates from the platform’s internal systems and is accompanied by sample data as proof of possession. The seller further indicates that the dataset is available for purchase and also threatens to sell the information publicly if a ransom demand is not met before the specified deadline.

Based on the information presented in the forum advertisement, the allegedly compromised dataset may include:

  • Customer personally identifiable information (PII)
  • Pet owner profile information
  • User account registration details
  • Contact information, including names, email addresses, and phone numbers
  • Appointment booking records
  • Veterinary consultation history
  • Pet health and medical records
  • Prescription and treatment information
  • Referral and clinic visit records
  • Account identifiers and platform metadata
  • Internal application data associated with veterinary services
  • Additional user-related operational records

According to the advertisement, the seller claims to possess approximately 28,641 user records and has provided sample data to demonstrate possession of the alleged dataset. The post further states that the information will remain available for purchase until the specified deadline, after which it may be released or sold to third parties if no agreement is reached.

If verified, the exposure of this information could present significant risks to affected individuals and the organization. Threat actors could exploit the disclosed data to conduct phishing campaigns, identity theft, account takeover attempts, credential stuffing attacks, social engineering, business email compromise (BEC), and fraud. The compromise of veterinary consultation records and customer information may also expose sensitive personal data, increasing privacy concerns and potentially resulting in regulatory scrutiny, legal liabilities, financial losses, and reputational damage.

The authenticity of the advertised dataset remains unverified at the time of reporting. The assessment is based solely on information published in a dark web forum advertisement and has not been independently confirmed.

Source: Underground Forums

RECOMMENDATIONS

STRATEGIC RECOMMENDATIONS

  • Attack Surface Management should be adopted by organisations, ensuring that a continuous closed-loop process is created between attack surface monitoring and security testing.
  • Deploy a unified threat management strategy – including malware detection, deep learning neural networks, and anti-exploit technology – combined with vulnerability and risk mitigation processes.
  • Incorporate Digital Risk Protection (DRP) in the overall security posture that acts as a proactive defence against external threats targeting unsuspecting customers.
  • Implement a holistic security strategy that includes controls for attack surface reduction, effective patch management, and active network monitoring through next-generation security solutions and a ready-to-go incident response plan.
  • Create risk-based vulnerability management with deep knowledge about each asset. Assign a triaged risk score based on the type of vulnerability and criticality of the asset to help ensure that the most severe and dangerous vulnerabilities are dealt with first.

MANAGEMENT RECOMMENDATIONS

  • Take advantage of global Cyber Intelligence, providing valuable insights on threat actor activity, detection, and mitigation techniques.
  • Proactively monitor the effectiveness of risk-based information security strategy, the security controls applied, and the proper implementation of security technologies, followed by corrective actions, remediations, and lessons learned.
  • Consider implementing Network Traffic Analysis (NTA) and Network Detection and Response (NDR) security systems to compensate for the shortcomings of EDR and SIEM solutions.
  • Ensure that detection processes are tested to ensure awareness of anomalous events. Timely communication of anomalies should be continuously evolved to keep up with refined ransomware threats.

TACTICAL RECOMMENDATIONS

  • Patch software/applications as soon as updates are available. Where feasible, automated remediation should be deployed since vulnerabilities are one of the top attack vectors.
  • Consider using security automation to speed up threat detection, improved incident response, increased the visibility of security metrics, and rapid execution of security checklists.
  • Build and undertake safeguarding measures by monitoring/ blocking the IOCs and strengthening defences based on the tactical intelligence provided.
  • Deploy detection technologies that are behavioral anomaly-based to detect ransomware attacks and help to take appropriate measures.
  • Implement a combination of security controls, such as reCAPTCHA (completely Automated Public Turing test to tell Computers and Humans Apart), Device fingerprinting, IP backlisting, Rate-limiting, and Account lockout to thwart automated brute-force attacks.
  • Ensure email and web content filtering uses real-time blocklists, reputation services, and other similar mechanisms to avoid accepting content from known and potentially malicious sources.

Situational Awareness – Cyber News

Please find the Geography-Wise and Industry-Wise breakup of cyber news for the last 5 days as part of the situational awareness pillar.

For situational awareness intelligence and specific insights mapped to your organisation’s geography, industry, and technology, please access DeCYFIR.



Click Here For The Original Source.

——————————————————–

..........

.

.

National Cyber Security

FREE
VIEW