[ad_1]
Ransomware of the Week
CYFIRMA Research and Advisory Team would like to highlight ransomware trends and insights gathered while monitoring various forums. This includes multiple – industries, geography, and technology – which could be relevant to your organization.
Type: Ransomware
Target Technologies: MS Windows
Introduction
CYFIRMA Research and Advisory Team has found Moon Ransomware while monitoring various underground forums as part of our Threat Discovery Process.
Moon Ransomware
Researchers have identified a new ransomware variant called Moon. This ransomware encrypts files and modifies their names by appending a series of random characters followed by the “.moon” extension. Additionally, Moon creates a ransom note titled “README.txt” to communicate with victims.
It is important to highlight that this ransomware variant closely resembles others, including MoneyIsTime, and Beast.
Screenshot of files encrypted by this ransomware (Source: SurfaceWeb)
The ransom note informs victims that their files, including documents, photos, and databases, have been encrypted and are now inaccessible. It states that the victims cannot decrypt their files without help and offers recovery options through the purchase of a private key from the attackers.
Victims are instructed to reach out to cybercriminals via email, or through Telegram to initiate the recovery process. The note also warns against renaming encrypted files or using third-party decryption tools, as this could lead to permanent data loss.
Finally, it threatens that the attackers will sell or publicly disclose the stolen data if the victims do not make contact within 24 hours.
Screenshot of Moon’s text file (“README.txt”) (Source: Surface Web)
The following are the TTPs based on the MITRE Attack Framework.
Sr.No | Tactics | Techniques/Sub-Techniques |
1 | TA0002:Execution | T1047: Windows Management Instrumentation |
T1059: Command and Scripting Interpreter | ||
T1129: Shared Modules | ||
2 | TA0003: Persistence | T1543.003: Create or Modify System Process: Windows Service |
T1574.002: Hijack Execution Flow: DLL Side-Loading | ||
3 | TA0004:Privilege Escalation | T1055: Process Injection |
T1543.003: Create or Modify System Process: Windows Service | ||
T1548: Abuse Elevation Control Mechanism | ||
T1574.002: Hijack Execution Flow: DLL Side-Loading | ||
4 | TA0005:Defense Evasion | T1027.005: Obfuscated Files or Information: Indicator Removal from Tools |
T1036:Masquerading | ||
T1055: Process Injection | ||
T1222: File and Directory Permissions Modification | ||
T1497: Virtualization/Sandbox Evasion | ||
T1548: Abuse Elevation Control Mechanism | ||
T1562.001: Impair Defenses: Disable or Modify Tools | ||
T1574.002: Hijack Execution Flow: DLL Side-Loading | ||
5 | TA0006:Credential Access | T1003: OS Credential Dumping |
T1056.001: Input Capture: Keylogging | ||
T1539: Steal Web Session Cookie | ||
T1552.001: Unsecured Credentials: Credentials In Files | ||
6 | TA0007:Discovery | T1010: Application Window Discovery |
T1016: System Network Configuration Discovery | ||
T1018: Remote System Discovery | ||
T1033: System Owner/User Discovery | ||
T1049: System Network Connections Discovery | ||
T1057: Process Discovery | ||
T1082: System Information Discovery | ||
T1083: File and Directory Discovery | ||
T1087: Account Discovery | ||
T1135: Network Share Discovery | ||
T1497: Virtualization/Sandbox Evasion | ||
T1518.001:Software Discovery: Security Software Discovery | ||
T1614: System Location Discovery | ||
7 | TA0008:Lateral Movement | T1080: Taint Shared Content |
8 | TA0009:Collection | T1005: Data from Local System |
T1056.001: Input Capture: Keylogging | ||
T1074: Data Staged | ||
T1114: Email Collection | ||
9 | TA0011: Command and Control | T1071: Application Layer Protocol |
T1095: Non-Application Layer Protocol | ||
T1573: Encrypted Channel | ||
10 | TA0040:Impact | T1486: Data Encrypted for Impact |
Relevancy and Insights:
- This ransomware specifically targets the widely used Windows Operating System, which is prevalent across numerous industries and organizations.
- The ransomware’s attempt to delete Volume Shadow Copies (VSS) indicates a deliberate effort to hinder data recovery options for victims.
- The ransomware is also performing checks on user input. This behaviour implies that the ransomware may have the ability to interact with the user or receive commands in some way. It could be looking for specific inputs or triggers to initiate its encryption process or carry out other malicious activities. This behaviour indicates a level of sophistication and interactivity in the ransomware’s design.
ETLM Assessment:
Based on the available information, CYFIRMA’s assessment indicates that this ransomware presents a substantial threat to economically developed nations, particularly targeting sectors heavily reliant on Windows operating systems. Sharing similarities with Beast, a known Ransomware-as-a-Service (RaaS), there is low confidence that Moon ransomware could potentially rise as a significant threat. Notably, the threat actor’s intent to sell or leak stolen data highlights the severity of the risk, especially for sectors like finance, healthcare, and critical infrastructure. Its advanced persistence and command-and-control capabilities enable prolonged and sophisticated attacks, highlighting the urgent need for robust defensive measures in these high-value industries.
SIGMA Rule:
title: Uncommon File Created In Office Startup Folder tags:
– attack.resource-development
– attack.t1587.001 logsource:
product: windows category: file_event
detection: selection_word_paths:
– TargetFilename|contains: ‘\Microsoft\Word\STARTUP’
– TargetFilename|contains|all:
– ‘\Office’
– ‘\Program Files’
– ‘\STARTUP’
filter_exclude_word_ext: TargetFilename|endswith:
– ‘.docb’ # Word binary document introduced in Microsoft Office 2007
– ‘.docm’ # Word macro-enabled document; same as docx, but may contain macros and scripts
– ‘.docx’ # Word document
– ‘.dotm’ # Word macro-enabled template; same as dotx, but may contain macros and scripts
– ‘.mdb’ # MS Access DB
– ‘.mdw’ # MS Access DB
– ‘.pdf’ # PDF documents
– ‘.wll’ # Word add-in
– ‘.wwl’ # Word add-in selection_excel_paths:
– TargetFilename|contains: ‘\Microsoft\Excel\XLSTART’
– TargetFilename|contains|all:
– ‘\Office’
– ‘\Program Files’
– ‘\XLSTART’
filter_exclude_excel_ext: TargetFilename|endswith:
– ‘.xll’
– ‘.xls’
– ‘.xlsm’
– ‘.xlsx’
– ‘.xlt’
– ‘.xltm’
– ‘.xlw’ filter_main_office_click_to_run:
Image|contains: ‘:\Program Files\Common Files\Microsoft Shared\ClickToRun\’
Image|endswith: ‘\OfficeClickToRun.exe’ filter_main_office_apps:
Image|contains:
– ‘:\Program Files\Microsoft Office\’
– ‘:\Program Files (x86)\Microsoft Office\’ Image|endswith:
– ‘\winword.exe’
– ‘\excel.exe’
condition: ((selection_word_paths and not filter_exclude_word_ext) or (selection_excel_paths and not filter_exclude_excel_ext)) and not 1 of filter_main_* falsepositives:
– False positive might stem from rare extensions used by other Office utilities. level: high
(Source: Surface web)
STRATEGIC RECOMMENDATIONS
- Implement competent security protocols and encryption, authentication, or access credentials configurations to access critical systems in your cloud and local environments.
- Ensure that backups of critical systems are maintained which can be used to restore data in case a need arises.
MANAGEMENT RECOMMENDATIONS
- A data breach prevention plan must be developed considering (a) the type of data being managed by the company; (b) the remediation process; (c) where and how the data is stored; (d) if there is an obligation to notify the local authority.
- Enable zero-trust architecture and multifactor authentication (MFA) to mitigate the compromise of credentials.
- Foster a culture of cybersecurity, where you encourage and invest in employee training so that security is an integral part of your organization.
TACTICAL RECOMMENDATIONS
- Update all applications/software regularly with the latest versions and security patches alike.
- Add the Sigma rules for threat detection and monitoring which will help to detect anomalies in log events, identify and monitor suspicious activities.
Trending Malware of the Week
Type: Backdoor
Objective: Data theft, Remote Access Target Technology: Windows OS, Browser Target Geography: France
Active Malware of the Week
This week “WarmCookie” is trending.
WarmCookie
Researchers have discovered a new ‘FakeUpdate’ campaign targeting users in France, where compromised websites display fake browser and application updates to distribute a new version of the WarmCookie backdoor. The ‘FakeUpdate’ strategy, which involves tricking users into downloading malicious payloads, presents fake update prompts for popular software like web browsers and Java. Once installed, the WarmCookie backdoor allows attackers to steal data, execute commands, capture screenshots, and introduce additional malware. The latest version includes enhanced capabilities, such as running DLLs from temporary folders and executing EXE and PowerShell files.
Attack Method
Researchers discovered that the primary lure for triggering the infection in this FakeUpdate campaign is a fake browser update, a typical tactic in these attacks. Additionally, a compromised site promoting a fake Java update was also identified as part of the campaign.
Fig: Fake browser and Java update prompts
The infection begins when a user clicks on a fake browser update notice, activating JavaScript that downloads the WarmCookie installer and prompts the user to save the file, initiating the malware installation.
Fig: WarmCookie infection chain
When the fake software update is executed, the malware conducts anti-VM checks to verify it isn’t operating in an analyst’s environment and sends the infected system’s fingerprint to its command and control (C2) server, awaiting further instructions. It’s important to note that modern browsers like Chrome, Brave, Edge, and Firefox automatically apply updates, sometimes requiring only a program restart. Manual downloading and executing update packages are never part of a legitimate update process and is a red flag for malware. FakeUpdate attacks often compromise legitimate websites, making these pop-ups dangerous even on trusted platforms.
Features of WarmCookie
The updated WarmCookie backdoor now supports the following commands:
- Get CPU identification and memory size
- Take screenshots
- Enum programs via Uninstall reg key
- cmd execution via cmd.exe /c and send back results via POST
- Write file to victim
- Read file and send it back
- empty
- Write DLL to %TEMP% and run it via rundll32.exe and send back the output
- missing
- Same as 8, but starts with “Start /update” arguments
- Copies itself to %TEMP%
INSIGHTS
- WarmCookie, a Windows backdoor first discovered in mid-2023, has emerged as a significant threat, particularly highlighted by a recent campaign leveraging fake software updates to distribute the malware. Targeting users in France, this campaign employs common tactics like fake browser and application update prompts to trick individuals into downloading the malware. The increasing sophistication of such attacks underscores the need for users to remain vigilant, especially when encountering unsolicited update notifications, which often serve as entry points for cybercriminals.
- What sets the latest version of WarmCookie apart is its enhanced functionality, allowing it to perform various malicious actions, including taking screenshots, executing commands, and collecting system information. This level of capability enables attackers to gather sensitive data and maintain persistent access to infected devices, posing a significant risk to both personal and organizational security. The ability to compromise legitimate websites further complicates the situation, as users may unknowingly trust the platforms they visit.
- The FakeUpdate cyberattack strategy, primarily used by ‘SocGolish,’ illustrates the evolving tactics employed by cybercriminals to exploit unsuspecting users. This approach involves compromising or creating fake websites that display deceptive update prompts for various applications, including web browsers, Java, VMware Workstation, WebEx, and Proton VPN. When users inadvertently click on these seemingly legitimate prompts, they unwittingly download a malicious payload that can include info-stealers, cryptocurrency drainers, remote access Trojans (RATs), and even ransomware. The sophistication of this strategy underscores the need for heightened vigilance, as the distinction between legitimate updates and malicious attempts becomes increasingly blurred, potentially leading to significant data breaches and operational disruptions.
ETLM ASSESSMENT
From the ETLM perspective, CYFIRMA anticipates that the evolution of WarmCookie malware and similar threats is expected to significantly impact organizations and their employees. As cybercriminals refine their tactics, the risk of widespread phishing attacks disguised as legitimate update notifications will likely increase, leading to a surge in successful breaches that compromise sensitive data and erode trust. With the prevalence of remote work, employees using personal devices for work tasks may further heighten the risk of malware infections, creating vulnerabilities that attackers can exploit and causing severe disruptions to business operations. The fallout from employees unknowingly installing malware could result in long-term consequences and legal liabilities, complicating the operational landscape for businesses.
IOCs:
Kindly refer to the IOCs Section to exercise controls on your security systems.
STRATEGIC RECOMMENDATIONS
- Maintain an up-to-date inventory of all active software used within the organization and perform regular self-audit of workstations, servers, laptops, mobile devices to identify unauthorized/ restricted software.
- Deploy a unified threat management strategy – including malware detection, deep learning neural networks, and anti-exploit technology – combined with vulnerability and risk mitigation processes.
- Configure organization’s intrusion detection systems (IDS), intrusion prevention systems (IPS), or any network defence mechanisms in place to alert on — and upon review, consider blocking connection attempts to and from — the external IP addresses and domains listed in the appendix.
MANAGEMENT RECOMMENDATIONS
- Regularly reinforce awareness related to different cyberattacks using impersonated domains/spoofed webpages with end-users across the environment and emphasize the human weakness in mandatory information security training sessions.
- Security Awareness training should be mandated for all company employees. The training should ensure that employees:
- Avoid downloading and executing files from unverified sources.
- Move beyond the traditional model of security awareness towards Improved Simulation and training exercises that mimic real attack scenarios, account for behaviors that lead to a compromise, and are measured against real attacks the organization receives.
TACTICAL RECOMMENDATIONS
- Build and undertake safeguarding measures by monitoring/ blocking the IOCs and strengthening defence based on the tactical intelligence provided.
- Enable network protection to prevent applications or users from accessing malicious domains and other malicious content on the internet.
- Implement a reputation and category-based filtering to restrict access to unsafe website from corporate network and systems.
Weekly Intelligence Trends/Advisory
1. Weekly Attack Type and Trends
Key Intelligence Signals:
- Attack Type: Malware Implant, Phishing, Ransomware Attacks, Vulnerabilities & Exploits, Data Leaks.
- Objective: Unauthorized Access, Data Theft, Data Encryption, Financial Gains, Espionage.
- Business Impact: Data Loss, Financial Loss, Reputational Damage, Loss of Intellectual Property, Operational Disruption.
- Ransomware –Medusa Ransomware, RansomHub Ransomware | Malware – WarmCookie
- Medusa Ransomware – One of the ransomware groups.
- RansomHub Ransomware – One of the ransomware groups.
- Please refer to the trending malware advisory for details on the following:
- Malware – WarmCookie
- Behaviour –Most of these malwares use phishing and social engineering techniques as their initial attack vectors. Apart from these techniques, exploitation of vulnerabilities, defense evasion, and persistence tactics are being observed.
2. Threat Actor in Focus
SHROUDED#SLEEP: An In-Depth Analysis of North Korea’s Ongoing Campaign Targeting Southeast Asia
- Threat actor: APT37
- Initial Attack Vector: Phishing, and Malware Implant
- Objective: Espionage
- Target Technology: Windows
- Target Geographies: Cambodia and Southeast Asia.
- Target Industries: Education, Health Care, and Agriculture.
- Business Impact: Operational Disruption, Financial Losses, and Data Compromise.
Summary:
The SHROUDED#SLEEP campaign, attributed to North Korea’s APT37 group, also known as Reaper or Group123, represents a sophisticated and stealthy cyberattack targeting Southeast Asia, with a significant focus on Cambodia. The campaign typically initiates through phishing emails containing malicious shortcut files disguised as legitimate documents, such as Excel spreadsheets or PDFs. These shortcut files utilize double-extension techniques to deceive users into believing they are opening an innocuous file. Once executed, the shortcut files trigger a series of PowerShell commands embedded within, which extract and execute hidden payloads. The malware employs a variety of evasion tactics, including long sleep intervals between commands to avoid detection by security software.
The extracted payloads include a custom DLL known as DomainManager.dll, which is designed to hijack the .NET AppDomainManager class, allowing attackers to execute malicious code before any legitimate application runs. This DLL is executed through a renamed legitimate executable, ensuring a stealthy execution process. To establish persistence, the malware drops its components into the Windows Startup directory, ensuring they are automatically executed upon user login. Notably, the initial execution of the malware does not trigger immediate malicious activity; instead, it relies on the user to reboot their system to activate the payloads.
The campaign further employs a PowerShell backdoor RAT named VeilShell, which facilitates communication with a command-and-control (C2) server. This backdoor grant attackers extensive control over the compromised system, allowing them to exfiltrate data, create scheduled tasks, modify the registry, and interact with the file system. The communication between the victim’s machine and the C2 server is managed through HTTP POST and GET requests, enabling the remote execution of commands.
To maintain stealth, the malware employs Base64 encoding and Caesar ciphers, complicating detection and analysis by traditional security tools. Overall, the SHROUDED#SLEEP campaign exemplifies a highly methodical and patient approach by its operators, leveraging a multi-layered attack strategy to maintain long-term control over compromised systems while minimizing the risk of detection.
Relevancy & Insights:
APT37 has a history of sophisticated cyber espionage campaigns that frequently target government entities, educational institutions, and NGOs, primarily in South Korea and more recently in Southeast Asia. Past attacks, such as those associated with the DEEP#GOSU campaign, have demonstrated the group’s preference for stealthy techniques, including phishing and the deployment of PowerShell-based malware to achieve their objectives. In these earlier incidents, the group often utilized social engineering tactics, like crafting seemingly legitimate communications, to lure victims into executing malicious payloads.
The current SHROUDED#SLEEP campaign closely aligns with APT37’s established patterns. It involves similar tactics, using phishing emails that deliver malicious shortcut files to install the stealthy VeilShell backdoor. This approach not only reflects a continuation of their methods but also indicates an adaptation to target a broader geographical area, specifically Southeast Asia, with Cambodia emerging as a primary focus. This geographical shift mirrors earlier targeting patterns, suggesting that APT37 is consistently seeking to gather intelligence on politically and economically significant regions.
ETLM Assessment:
This group focuses its efforts primarily on Southeast Asia, also having a broader interest in regional intelligence gathering. APT37 typically targets key industries, including NGOs, and sectors related to education and health, reflecting their intent to gather sensitive information relevant to geopolitical dynamics.
Utilizing Windows-based technologies, APT37 leverages tools such as PowerShell and .NET, with a strong emphasis on phishing emails to exploit user behavior rather than specific software vulnerabilities. Their current operations prominently feature the VeilShell backdoor, which offers robust remote access capabilities. The group’s use of stealthy malware delivery methods and obfuscation techniques positions them as a significant threat in the region.
The threat landscape surrounding APT37 highlights an ongoing trend of state- sponsored cyber activities that blend technical prowess with effective social engineering strategies, making detection challenging for security professionals. In the future, APT37 is expected to expand its operations, potentially targeting additional countries and sectors, and increasing the sophistication of its tactics. Organizations in Southeast Asia should prioritize strengthening their cybersecurity measures and user awareness to better defend against these persistent threats.
Recommendations:
The SHROUDED#SLEEP campaign highlights the necessity of strong endpoint security, particularly in monitoring PowerShell activity, registry changes, and network communications. Defenders need to maintain heightened vigilance.
- It’s crucial to refrain from downloading files or attachments from unknown external sources, particularly if they are unsolicited. Be cautious with common file types such as zip, rar, iso, and pdf. Furthermore, external links leading to downloads of these file types should be viewed with suspicion.
- It’s essential to monitor frequently used malware staging directories, paying particular attention to script-related activities in world-writable locations. In this campaign, threat actors utilized the user’s startup directory located at %APPDATA%\Microsoft\Windows\StartMenu\Programs\Startup for staging their malicious payloads.
- Pay careful attention to traditional persistence mechanisms, particularly those involving the Windows Registry and scheduled tasks, as these can indicate attempts to sustain unauthorized access to systems.
- The implementation of comprehensive endpoint logging to enhance PowerShell detection capabilities. Utilizing additional process-level logging tools, such as Sysmon and Power Shell logging.
MITRE ATT&CK Tactics and Techniques | ||
Tactics | ID | Technique |
Initial Access | T1566.001 | Phishing: Spearphishing Attachment |
Execution | T1059.001 | Command and Scripting Interpreter: PowerShell |
Execution | T1059.007 | Command and Scripting Interpreter: JavaScript |
Execution | T1204.001 | User Execution: Malicious Link |
Execution | T1204.002 | User Execution: Malicious File |
Persistence | T1547.001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
Defense Evasion | T1027 | Obfuscated Files or Information |
Defense Evasion | T1574.014 | Hijack Execution Flow: AppDomainManager |
Defense Evasion | T1070.004 | Indicator Removal: File Deletion |
Defense Evasion | T1112 | Modify Registry |
Credential Access | T1003 | OS Credential Dumping |
Credential Access | T1555 | Credentials from Password Stores |
Discovery | T1057 | Process Discovery |
Discovery | T1069.002 | Permission Groups Discovery: Domain Groups |
Discovery | T1082 | System Information Discovery |
Discovery | T1033 | System Owner/User Discovery |
Collection | T1560 | Archive Collected Data |
Command and Control | T1132 | Data Encoding |
Exfiltration | T1041 | Exfiltration Over C2 Channel |
IOCs:
Kindly refer to the IOCs (Indicators of Compromise) Section to exercise controls on your security systems.
3. Major Geopolitical Developments in Cybersecurity
China breached US wiretapping systems
According to U.S. officials, Chinese hackers have breached at least three major U.S. telecommunications providers in what appears to be an audacious espionage operation likely aimed in part at discovering the Chinese targets of American surveillance. The Chinese threat actor Salt Typhoon breached networks belonging to US broadband providers, including Verizon, AT&T, and Lumen, and gained access to systems used by the Federal government for court-authorized wiretapping. The hackers remained undetected within the networks for several months. The FBI, the Department of Homeland Security, and other US intelligence agencies are investigating the incidents. In Verizon’s case, the hackers have probably exfiltrated data by reconfiguring Cisco routers.
ETLM Assessment:
The revelation of the security breach and possible counterintelligence operation emerges at a time when Washington and Beijing are working to prevent their competitive relationship from escalating into conflict. The Biden administration sees China as its most significant strategic challenge, given its efforts to rival the U.S. economically, militarily, and in terms of influence in the developing world. The scale and extent of the intrusion are still under investigation, however, the first reports suggest a very serious breach as the attackers likely had access to the general internet traffic coursing through the providers’ systems. The incident is just another piece in shadow competition between the two eminent world superpowers, which in recent years have been on a collision course, which often plays in the fifth domain as the world economy moves towards online integration.
North Korean hackers targeting German arms manufacturer
North Korean state-sponsored hackers have attacked the defense contractor Diehl Defence, according to researchers who discovered and analyzed the operation. According to their findings, hackers from the “Kimsuky” aka APT43 group attempted to trick Diehl employees with fake and seemingly lucrative job offers from American defense companies in a spearphishing campaign, that sent fraudulent PDF files to their emails, that would infect their computers with malware.
The hackers hid their attack server behind an address containing the name “Uberlingen,” referencing Diehl Defence’s location in Überlingen by Lake Constance. The server also hosted authentic-looking German-language login pages that resembled those of Telekom and the email provider GMX. Apparently, the attackers intended to steal login credentials from German users.
ETLM Assessment:
Diehl Defence manufactures, among other weapon systems, the Iris-T guided missiles, which the South Korean military uses to equip its latest KF-21 fighter jets. Only this spring, Diehl announced the first successful test firing of the weapon in integration with Korean systems.
As we have noted in an earlier report, North Korean state hackers both collect intelligence and generate revenue for the state. The cyber espionage efforts are focused on the state’s perceived adversaries: mainly South Korea, the United States, and Japan; collecting intelligence on other countries’ military capabilities and stealing technologies that could be used by the North Korean military. In this case, the apparent underlying logic for the state-drive campaign has been both gaining useful military intelligence on South Korea as well as learning details on the Western weapon system the heavily sanctioned regime could potentially use in its domestic industry or trade with its Chinese, Iranian, and Russian partners.
4. Rise in Malware/Ransomware and Phishing
The Medusa Ransomware Impacts BELL DATA, Inc
- Attack Type: Ransomware
- Target Industry: Information Technology and Services
- Target Geography: Japan
- Ransomware: Medusa Ransomware
- Objective: Data Theft, Data Encryption, Financial Gains
- Business Impact: Financial Loss, Data Loss, Reputational Damage
Summary:
From External Threat Landscape Management (ETLM) Perspective, CYFIRMA observed in an underground forum that a company from Japan; BELL DATA, Inc (www[.]belldata[.]com), was compromised by the Medusa Ransomware. Bell Data, Inc. is a Japanese IT services company that specializes in infrastructure and system integration. The company operates across Japan with multiple branches and data centers. Bell Data provides a range of services, including server and hardware sales, network setup, cloud solutions, and security product deployment. The compromised data includes confidential and sensitive information belonging to the organization. The price for downloading the data is set at $300,000.
The following screenshot was observed published on the dark web:
Source: Dark Web
Relevancy & Insights:
- Medusa ransomware has been active since late 2021 and has quickly established itself as a major player in the ransomware space, employing a double extortion strategy. Once inside, Medusa uses strong encryption methods (AES-256 and RSA-2048) to secure files, rendering them inaccessible without the decryption key held by the attackers.
- Medusa employs a range of tactics for infiltration, including exploiting unpatched vulnerabilities (e.g., CVE-2023-48788 in Fortinet’s FortiClient EMS), phishing attacks, and leveraging compromised Remote Desktop Protocol (RDP) configurations. They utilize living-off-the-land techniques, employing legitimate tools like ConnectWise and PDQDeploy to evade detection.
- The Medusa Ransomware group primarily targets countries like the United States of America, Canada, the United Kingdom, Italy, and Australia.
- The Medusa Ransomware group primarily targets industries, such as Manufacturing, Healthcare, Finance, Retail, and Transportation.
- Based on the Medusa Ransomware victims list from 1st Jan 2024 to 8th October 2024, the top 5 Target Countries are as follows:
- The Top 10 Industries, most affected by Medusa Ransomware from 1st Jan 2024 to 8 October 2024 are as follows:
ETLM Assessment:
Based on recent assessments by CYFIRMA, Medusa Ransomware continues to pose a significant threat across various sectors. The group’s sophisticated tactics and aggressive demands highlight the need for organizations to enhance their cybersecurity measures, including regular updates, employee training on phishing recognition, and robust incident response plans to mitigate risks associated with ransomware attacks.
The RansomHub Ransomware Impacts the Naniwa Pump Manufacturing Co., Ltd.
- Attack Type: Ransomware
- Target Industry: Manufacturing
- Target Geography: Japan
- Ransomware: RansomHub Ransomware
- Objective: Data Theft, Data Encryption, Financial Gains
- Business Impact: Financial Loss, Data Loss, Reputational Damage
Summary:
From the External Threat Landscape Management (ETLM) Perspective, CYFIRMA observed in an underground forum that a company from Japan; Naniwa Pump Manufacturing Co., Ltd. (www[.]naniwa-pump[.]co[.]jp), was compromised by RansomHub Ransomware. Naniwa Pump Manufacturing Co., Ltd. specializes in the production of various types of industrial pumps, including centrifugal, gear, screw, piston, and vacuum pumps. The company operates primarily in the marine and industrial sectors, providing custom-built pumps designed to meet specific customer requirements. The compromised data encompasses a trove of sensitive and confidential records, originating from the organizational database. The total size of the compromised data is approximately 31 GB.
The following screenshot was observed published on the dark web:
Source: Dark Web
Relevancy & Insights:
- RansomHub Ransomware had listed over 210 victims on its dark web leak site, a reflection of the group’s expanding operations.
- The RansomHub Ransomware group primarily targets countries like the United States of America, the United Kingdom, Brazil, Australia, and Italy.
- The RansomHub Ransomware group primarily targets industries, such as Specialized Consumer Services, Heavy Construction, Business Support Services, Software, and
Health Care Providers. - Based on the RansomHub Ransomware victims list from 1st Jan 2024 to 8th October 2024, the top 5 Target Countries are as follows:
- The Top 10 Industries, most affected by RansomHub Ransomware from 1st Jan 2024 to 8 th October 2024 are as follows:
ETLM Assessment:
Based on recent assessments by CYFIRMA, RansomHub ransomware is expected to intensify its operations across various industries worldwide, with a notable focus on regions in the United States, Europe, and Asia. This prediction is reinforced by the recent attack on Naniwa Pump Manufacturing Co., Ltd., a prominent Manufacturing company from Japan, highlighting RansomHub’s significant threat presence in the Asia Pacific region.
5. Vulnerabilities and Exploits
A] Vulnerability in Ivanti Cloud Services Appliance (CSA)
- Attack Type: Vulnerabilities & Exploits
- Target Technology: Server applications
- Vulnerability: CVE-2024-9379
- CVSS Base Score: 6.5 Source
- Vulnerability Type: The vulnerability allows a remote user to execute arbitrary SQL queries in a database.
Summary:
The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.
Relevancy & Insights:
The vulnerability exists due to insufficient sanitization of user-supplied data. A remote privileged user can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.
Impact:
Successful exploitation of this vulnerability may allow a remote attacker to read, delete, and modify data in a database and gain complete control over the affected application.
Affected Products:
https[:]//forums[.]Ivanti[.com/s/article/Security-Advisory-Ivanti-CSA- Cloud-Services-Appliance-CVE-2024-9379-CVE-2024-9380-CVE-2024- 9381?language=en_US
Recommendations:
Monitoring and Detection: Implement monitoring and detection mechanisms to identify unusual system behavior that might indicate an attempted exploitation of this vulnerability.
B] Vulnerability in Ivanti Cloud Services Appliance (CSA)
- Attack Type: Vulnerabilities & Exploits
- Target Technology: Server applications
- Vulnerability: CVE-2024-9380
- CVSS Base Score: 7.2 Source
- Vulnerability Type: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
Summary:
The vulnerability allows a remote user to execute arbitrary shell commands on the target system.
Relevancy & Insights:
The vulnerability exists due to improper input validation.
Impact:
A remote privileged user can pass specially crafted data to the application and execute arbitrary OS commands on the target system.
Affected Products:
https[:]//forums[.]Ivanti[.com/s/article/Security-Advisory-Ivanti-CSA- Cloud-Services-Appliance-CVE-2024-9379-CVE-2024-9380-CVE-2024- 9381?language=en_US
Recommendations:
Monitoring and Detection: Implement monitoring and detection mechanisms to identify unusual system behavior that might indicate an attempted exploitation of this vulnerability.
C] Vulnerability in Ivanti Cloud Services Appliance (CSA)
- Attack Type: Vulnerabilities & Exploits
- Target Technology: Server applications
- Vulnerability: CVE-2024-9381
- CVSS Base Score: 7.2 Source
- Vulnerability Type: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
Summary:
The vulnerability allows a remote user to perform directory traversal attacks.
Relevancy & Insights:
The vulnerability exists due to input validation error when processing directory traversal sequences.
Impact:
A remote user can send a specially crafted HTTP request and compromise the affected system.
Affected Products:
https[:]//forums[.]Ivanti[.com/s/article/Security-Advisory-Ivanti-CSA- Cloud-Services-Appliance-CVE-2024-9379-CVE-2024-9380-CVE-2024- 9381?language=en_US
Recommendations:
Monitoring and Detection: Implement monitoring and detection mechanisms to identify unusual system behavior that might indicate an attempted exploitation of this vulnerability.
TOP 5 AFFECTED PRODUCTS OF THE WEEK
This week, CYFIRMA researchers have observed significant impacts on various technologies, due to a range of vulnerabilities. The following are the top 5 most affected technologies.
ETLM Assessment:
Vulnerability in the Ivanti Cloud Services Appliance (CSA) can pose significant threats to user privacy and security. This can impact various industries globally, including technology, finance, healthcare, and beyond. Ensuring the security of the Ivanti CSA is crucial for maintaining the integrity and protection of users’ data worldwide. Therefore, addressing these vulnerabilities is essential to safeguarding secure communication and functionality over the Internet across different geographic regions and sectors.
6. Latest Cyber-Attacks, Incidents, and Breaches
KillSec Ransomware attacked and Published the data of the Infina
- Threat Actors: KillSec Ransomware
- Attack Type: Ransomware
- Objective: Data Leak, Financial Gains
- Target Technology: Web Applications
- Target Industry: Finance, Technology
- Target Geography: Vietnam
- Business Impact: Operational Disruption, Data Loss, Financial Loss, Potential Reputational Damage
Summary:
Recently, we observed that the KillSec Ransomware attacked and published data of Infina (www[.]infina[.]vn) on its dark web website. Infina is a Vietnamese fintech platform that focuses on investment and wealth management. It offers a variety of investment products, such as fixed-income products, mutual funds, real estate, and stock trading. The platform is designed to democratize investment by making it accessible to a wide range of users, especially those who may not have significant financial expertise or large amounts of capital. The data leak, following the ransomware attack, encompasses all the client information.
Source: Dark Web
Relevancy & Insights:
- Launch of KillSec RaaS: On June 25, 2024, KillSec announced the introduction of its Ransomware-as-a-Service platform via its Telegram channel. This platform is designed to provide aspiring cybercriminals with advanced tools and user-friendly features to facilitate ransomware attacks. The core component of this service is an advanced locker written in C++, which encrypts files on victims’ machines, making them inaccessible, without a decryption key provided after a ransom is paid.
- Pricing Model: Access to the KillSec RaaS platform is priced at $250, with KillSec taking a 12% commission on any ransom payments collected. This model aims to make sophisticated ransomware tools accessible to less technically skilled individuals, potentially increasing the frequency of ransomware incidents globally.
ETLM Assessment:
The emergence of KillSec’s Ransomware-as-a-Service (RaaS) platform represents a concerning development in the cybercrime landscape. By lowering the technical barrier to entry, this RaaS model allows less skilled individuals to engage in sophisticated ransomware attacks, potentially leading to an increase in such incidents globally. According to CYFIRMA’s assessment, the KillSec ransomware group is expected to continue targeting a wide range of industries worldwide. Their advanced tactics, such as exploiting website vulnerabilities and conducting credential theft, make them a significant threat to organizations with inadequate security measures in place.
7. Data Leaks
Indonesian Government Data Advertised on a Leak Site
- Attack Type: Data Leak
- Target Industry: Government
- Target Geography: Indonesia
- Objective: Data Theft, Financial Gains
- Business Impact: Data Loss, Reputational Damage
Summary:
In a recent post on a dark web forum, a notorious threat actor claimed responsibility for breaching a significant Indonesian government database. The individual, operating under the alias “@303,” announced that they had successfully obtained the database and provided a sample of the compromised data.
A sample of the exposed data was also included in the post, featuring various sensitive fields such as user login information, passwords, email addresses, and account statuses. Specifically, the leaked data contained details like:
User login credentials
Passwords (likely hashed)
User email addresses
Account registration dates
Activation keys and status
Source: Underground Forums
KintApp Data Advertised on a Leak Site
- Attack Type: Data Leak
- Target Geography: Thailand
- Target Industry: Software Development and Technology Solutions
- Objective: Data Theft, Financial Gains
- Business Impact: Data Loss, Reputational Damage
Summary:
A threat actor has claimed responsibility for a significant data breach targeting KintApp, a communication platform widely used by organizations in Thailand. According to a post made on a dark web forum, the breach compromised sensitive information from over 2,500 organizations, including prominent institutions such as the Thailand Constitutional Court, the Royal Thai Police Cadet Academy, and the Thailand Defense College.
The threat actor alleged that the stolen data includes users’ personal details such as identification numbers, email addresses, first and last names, and mobile phone numbers. While the authenticity of these claims has not yet been independently verified, the poster provided a sample of the stolen data to substantiate the breach. KintApp, designed to facilitate communication for businesses, is popular among both private and public sector entities across Thailand.
Source: Underground Forums
Relevancy & Insights:
Financially motivated cybercriminals are continuously scouring for exposed and vulnerable systems and applications to exploit. A significant number of these malicious actors congregate within underground forums, where they discuss cybercrime and trade stolen digital assets. Operating discreetly, these opportunistic attackers target unpatched systems or vulnerabilities in applications to illicitly gain access and steal valuable data. Subsequently, the pilfered data is advertised for sale within underground markets, where it can be acquired, repurposed, and utilized by other malicious actors in further illicit activities.
ETLM Assessment:
Threat Actor “303” is driven primarily by financial motives, frequently targeting a broad spectrum of industries, such as healthcare, finance, manufacturing, and critical infrastructure. This actor poses a significant risk in the cybersecurity landscape, employing advanced techniques to facilitate data breaches and achieve financial gains through the exploitation of sensitive information. To defend against this evolving threat, organizations must maintain heightened awareness and adopt proactive cybersecurity measures.
Recommendations: Enhance the cybersecurity posture by
- Updating all software products to their latest versions is essential to mitigate the risk of vulnerabilities being exploited.
- Ensure proper database configuration to mitigate the risk of database-related attacks.
- Establish robust password management policies, incorporating multi-factor authentication and role-based access, to fortify credential security and prevent unauthorized access.
8. Other Observations
In a recent development, Smart Buy, a UAE-based e-commerce platform, has reportedly suffered a data breach, exposing sensitive information of approximately 8,500 users. The breach, which allegedly occurred in October 2024, was disclosed by threat actors known as @IntelBroker and @EnergyWeaponUser, who shared the compromised data on a dark web forum.
The breached data includes user email addresses, transaction dates, currencies, and information related to specific online stores. A sample of the compromised data has been provided as proof of the breach.
Source: Underground forums
Threat Actor Claims Breach of Rivoli Group AE. The Rivoli Group is synonymous with luxury lifestyle retail. It has established a wide footprint, serving its customers across the UAE, Oman, Qatar, and Bahrain offering a diverse portfolio of over 100 prestigious international brands and an unmatched retail experience. Rivoli encompasses a wide spectrum of all premium things such as watches, eyewear, jewelry, leather accessories, and writing instruments.
The incident allegedly affected 44,000 users. Threat Actors compromised data, including order statuses, dates, countries, and email addresses. The data breach has been attributed to a threat actor identified as “IntelBroker”.
Source: Underground forums
ETLM Assessment:
The “IntelBroker” threat actor group has become active in underground forums and has emerged as a formidable force in cybercrime mainly for financial gains. The threat actor has already targeted Government, Industrial Conglomerates, Retail, Staffing, Business consulting, Banks, E-Commerce, Electric & Utilities industries, indicating its intention to expand its attack surface in the future to other industries globally.
STRATEGIC RECOMMENDATIONS
- Attack Surface Management should be adopted by organizations, ensuring that a continuous closed-loop process is created between attack surface monitoring and security testing.
- Deploy a unified threat management strategy – including malware detection, deep learning neural networks, and anti-exploit technology – combined with vulnerability and risk mitigation processes.
- Incorporate Digital Risk Protection (DRP) in the overall security posture that acts as a proactive defence against external threats targeting unsuspecting customers.
- Implement a holistic security strategy that includes controls for attack surface reduction, effective patch management, active network monitoring, through next generation security solutions and ready to go incident response plan.
- Create risk-based vulnerability management with deep knowledge about each asset. Assign a triaged risk score based on the type of vulnerability and criticality of the asset to help ensure that the most severe and dangerous vulnerabilities are dealt with first.
MANAGEMENT RECOMMENDATIONS
- Take advantage of global Cyber Intelligence providing valuable insights on threat actor activity, detection, and mitigation techniques.
- Proactively monitor the effectiveness of risk-based information security strategy, the security controls applied and the proper implementation of security technologies, followed by corrective actions remediations, and lessons learned.
- Move beyond the traditional model of security awareness towards improved simulation and training exercises that mimic real attack scenarios, account for behaviours that lead to a compromised and are measured against real attacks the organization receives.
- Consider implementing Network Traffic Analysis (NTA) and Network Detection and Response (NDR) security systems to compensate for the shortcoming of EDR and SIEM solutions.
- Detection processes are tested to ensure awareness of anomalous events. Timely communication of anomalies and continuously evolved to keep up with refined ransomware threats.
TACTICAL RECOMMENDATIONS
- Patch software/applications as soon as updates are available. Where feasible, automated remediation should be deployed since vulnerabilities are one of the top attack vectors.
- Build and undertake safeguarding measures by monitoring/ blocking the IOCs and strengthen defences based on tactical intelligence provided.
- Deploy detection technologies that are behavioural anomaly-based to detect ransomware attacks and help to take appropriate measures.
- Implement a combination of security control such as reCAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart), Device fingerprinting, IP backlisting, Rate-limiting, and Account lockout to thwart automated brute-force attacks.
- Ensure email and web content filtering uses real-time blocklists, reputation services, and other similar mechanisms to avoid accepting content from known and potentially malicious sources.
4. Situational Awareness – Cyber News
Please find the Geography-Wise and Industry-Wise breakup of cyber news for the last 5 days as part of the situational awareness pillar.
Geography-Wise Graph
Industry-Wise Graph
For situational awareness intelligence and specific insights mapped to your organisation’s geography, industry, technology, please access DeCYFIR.
[ad_2]
Source link