Weekly Cyber-Intelligence Report – 3 Apr 2021

Published On : 2021-04-03
Share :
Weekly Cyber-Intelligence Report – 3 Apr 2021

1.    Weekly Attack Type and Trends

  • Ransomware/Malware: njRAT, Agent Tesla, LokiBot, Avaddon Ransomware
  • Attack Type: Spear-Phishing Attacks, Malware Implants, Ransomware Attacks, Vulnerabilities & Exploits, Credential Stealing, Supply Chain Attacks
  • Objective: Data Exfiltration, Data Encryption, Payload Delivery, Cyber Espionage, Reconnaissance
  • Business Impact: Loss of Critical Data, Financial Impact, Reputational Damage

Malware, in particular, njRAT – a .NET Remote Access Trojan with several in-built evading techniques, FormBook – information stealer malware, and NanoCore – another .NET featured Remote Access Trojan providing highly customized plug-ins for a tailored attack have been observed targeting organizations for multiple objectives including data encryption, data exfiltration, and payload delivery.

Most of these malware use phishing as their initial attack vector. Apart from these attack methods, exploitation of vulnerabilities and defence evasion tactics have been observed.

Insights: CYFIRMA – as part of its cyber-threat predictions for 2021 – had highlighted that threat actors would potentially recycle and repurpose existing malware to carry out cyber-attacks. The commodity malware such as njRAT, Formbook, NanoCore, and Avaddon Ransomware have been leveraged effectively in the past and will continue to be used by threat actors looking for easily available and affordable malware samples.

 

2.    Threat Actor in Focus

 

RedEcho Takes down Its Domain Infrastructure After Public Exposure

  • Targeted Industries: Energy (Power Sector)
  • Target Countries: India
  • Target Technologies:
  • Suspected Threat Actor: RedEcho (Chinese)
  • Attack Type: Malware Attack
  • Vulnerabilities:
  • Objective: Operational Disruption, Cyber Espionage
  • Business Impact: Data Loss, Economic Espionage, Financial Loss

Summary: In recent development, the active RedEcho – one of many Chinese government-sponsored cyber-espionage threat actor groups has taken down its attack infrastructure after having its operations exposed at the end of February 2021 by security researchers. The group was linked to a campaign that targeted India’s power grid and critical infrastructure entities. The web domains used to control the ShadowPad malware identified in targeted intrusion activity against Indian power grid now appear parked.

Insights: RedEcho has strong infrastructure and victimology overlaps with Chinese groups APT41/ Barium and Tonto Team, while ShadowPad is used by at least 5 distinct Chinese groups. The earliest signs of RedEcho attacks date back to early 2020, but operations gained significant momentum after a May 2020 border dispute between India and China. It is likely that public disclosure of RedEcho’s Indian operations in February 2021 has put the targeted entities in defensive mode. Further, being a cyber espionage group, stealth tactics are of utmost importance to be efficient and threat actor groups often react to public disclosure by moving infrastructure to new servers.

 

3.    Major Geopolitical Developments in Cybersecurity

 

Anonymous Hacking Group Targets Japanese Organizations as Part of #OpMyanmar

Insights: On March 25th, it was observed that the Anonymous hacking group (a decentralized international activist/hacktivist collective/movement which started in the early 2000s) has identified organizations and entities who are known supporters of the Myanmar military coup as potential targets. The campaign is codenamed ‘Operation Myanmar’.

On March 28th, the group posted an updated link with details of a DDoS program and TangoDOWN update file. The bin site also included a list of targets including many organizations based in Japan.

CYFIRMA researchers are monitoring the situation and will update as new developments unfold.

Russian Hacker Group Targets German MPs  

Insights: Several members of the Bundestag (German federal parliament) and Landtag (German legislative bodies) have been the target of cyberattacks in the past few days – presumably from Russia. In today’s scenario, parliamentarians need to be present on social media such as Facebook, Twitter and Instagram, and cyber attackers may have compromised their login details on these platforms. The administration of the German Bundestag was promptly informed. The attack has also resulted in Parliament’s consideration for an overhaul of their IT system.

Australia Investigates Suspected Cyberattack on Parliament’s Email System  

Insights: Australia’s leading cybersecurity agency is investigating a suspected breach of the country’s parliamentary email system as well as the Australian media company cyber-attack. Internet-facing databases are easy pickings for threat actors as well as amateur cybercriminals. In recent times, organizations that have not protected their critical databases have suffered attacks from ransomware campaigns. Threat actors are using automated scripts to continuously scan for exposed databases, probing for vulnerabilities such as unsecured ports, software vulnerability, inadequate access controls, lack of encryption, or even non-password protected databases.

Mandatory Disclosures of Security Breaches

Insights: The yet-to-release US Government executive order would require software vendors to disclose security breaches to the government and its customers. Software vendors would be requested to work together with specialized government agencies, such as the FBI and CISA when investigating cyber-incidents. Likely a reaction to the recent SolarWinds attacks, the proposed order is expected to impact the relationship between major software vendors and government agencies. The order is expected to push federal agencies to improve their security posture through the adoption of multi-factor authentication and data encryption within their environments.

 

4.    Rise in Malware/Ransomware and Phishing

 

Japanese Corporation, Exedy, Hit by Ransomware

  • Target Industry: Automobile, Manufacturing
  • Target Geography: Japan
  • Attack Type: Ransomware Attacks, DDoS
  • Objective: Data Exfiltration, Data Encryption, Financial Gains
  • Ransomware: Avaddon Ransomware
  • Business Impact: Loss of Data, Potential Lawsuits, Reputational Damage, Financial Loss

Summary: EXEDY Corporation, a Japanese manufacturer of automobiles, industrial vehicles, and construction machinery components is suspected to have been targeted by Avaddon ransomware operators. The exfiltrated data may include confidential and business-critical data such as financial documents, company financial statements, bank transaction details, contracts, employee details, employee credentials as well as personal information of customers and employees. The threat actor also indicated his intention to perform DDoS attack until a response is received. Threat actors are observed targeting third parties (suppliers, vendors, and partners) to make inroads into the primary target’s infrastructure. The compromised systems and stolen information may also be used for extortion and tailored attacks on the organization. Entities affiliated with EXEDY Corporation via supply chains may also be exposed and run the risk of suffering similar attacks.

The following screenshots were published in one of the dark web forums:

 

5.    Latest Cyber-Attacks, Incidents, and Breaches

 

Hackers Attack PHP Codebase

  • Targeted Industries: Multiple
  • Target Countries: Global
  • Attack Type: Vulnerabilities and Exploits, Supply Chain Attack
  • Objective: Unauthorized Access, Data Exfiltration, Operational Disruption
  • Business Impact: Data Loss, Financial Impact

Summary: Unidentified threat actors, posing as PHP developers and maintainers – Rasmus Lerdorf and Nikita Popov – attempted to compromise the PHP codebase. According to researchers the root cause of the incident is currently unclear with suspicion towards the compromise of git.php.net server rather than the compromise of an individual git account. The malicious first breach was identified and action taken within a couple of hours. As a precaution, the PHP maintainers have discontinued the use of this server.

The screenshot here shows the malicious update where hackers masqueraded as Rasmus Lerdorf. The hackers were planting a remote code execution backdoor.

Insights: Last year, security experts highlighted that attacks surged by 430% targeting open-source components and with GitHub reporting 26 open projects on its platform being compromised in a massive supply chain attack. As part of CYFIRMA’s 2021 Cybersecurity Predictions, as goods and services are now flowing through digital systems, a compromise at any stage can have a devastating impact on the organization. Cyberattacks will hit upstream and downstream of supply chains.

 

 6.    Vulnerabilities and Exploits

 

New Vulnerabilities May Allow Attackers to Bypass Spectre Attack Mitigations on Linux Systems

  • Target Technology: Linux
  • Vulnerabilities: CVE-2020-27170 (CVSS Base Score: 4.7), CVE-2020-27171 (CVSS Base Score: 5.5)
  • Vulnerability Type: Exposure of Sensitive Information to an Unauthorized Actor, Integer Underflow (Wrap or Wraparound)
  • Impact: Confidentiality, Integrity

Summary: Recently an external researcher had discovered two vulnerabilities – tracked as CVE-2020-27170 and CVE-2020-27171 – which impact all Linux kernels prior to 5.11.8. While CVE-2020-27170 can be abused to reveal content from any location within the kernel memory, CVE-2020-27171 can be used to retrieve data from a 4GB range of kernel memory. The researcher highlighted that the new vulnerabilities may be used to get around Spectre countermeasures in Linux by taking advantage of the kernel’s support for extended Berkeley Packet Filters (eBPF) to extract the contents of the kernel memory.

Insights: Google published a JavaScript exploit to demonstrate the effectiveness of using the Spectre vulnerability in browsers to access information in memory. This Proof of Concept (PoC) exploit is reportedly able to operate with a variety of architectures, operating systems, and hardware generations. It proves in practice that the protective mechanisms added by developers to their browsers (for example, site isolation, Cross-Origin, Cross-Origin Read Blocking, and so on) do not work.

As part of CYFIRMA’s Cybersecurity predictions for 2021, we have predicted that risk associated with perimeter defense, passwords and authentication, data storage, protection, back-up, and retention will present more challenges to cybersecurity teams. Especially, cybercriminals will adopt new attack methods that exploit the vulnerabilities presented by the ever-increasing adoption of digital technologies.

 

7.    Data Leak

 

Critical Data of Indian Telecommunication firm Leaked

  • Target Industry: Telecommunication
  • Target Countries: India
  • Attack Type: Data Leak
  • Objective: Financial Gains
  • Business Impact: Reputational Damage, Regulatory Implication, Financial Loss, Loss of Competitive Advantage

Summary: A threat actor appears to have secured access to critical data (from 2018-2021) of one of the major Indian telecommunication giants. The observed data leak in one of the underground forums includes confidential information such as customer details (username, password, phone number), employee email backup as well as critical information about the infrastructure of impacted organization such as credentials for server access, admin panels, internal networks details, and more.

The following screenshot was taken from the underground forums:

 

36M Brazilian User Data for Sale in Dark Web Marketplace

  • Target Industry: Insurance
  • Target Countries: Brazil
  • Attack Type: Data Leak
  • Objective: Financial Gains
  • Business Impact: Reputational Damage, Regulatory Implication, Financial Loss, Loss of Competitive Advantage

Summary: Around 36 Million user records pertaining to Brazilian citizens were observed to be put up for sale in the underground forums. The leaked data includes details such as full name, date of birth, CPF, and gender. The threat actor appears to have secured access to the information around January 2021.

The following screenshot was taken from the underground forums:

8.   Recommendations

 

STRATEGIC RECOMMENDATIONS:

  1. Deploy an advanced Endpoint Detection and Response (EDR) engine as part of the organization’s layered security strategy that provides detection/prevention for malware and malicious activities that do not rely on signature-based detection methods.
  2. Incorporate Digital Risk Protection (DRP) in the overall security posture that acts as a proactive defence against external threats targeting unsuspecting customers.
  3. Establish a robust plan for critical data protection programs, Business Continuity, Disaster Recovery, and Incident Response for minimal disruption.
  4. Establish a robust plan to identify assets by leveraging a risk-based approach along with Defense-in-Depth (DiD) method as part of organization security strategy to minimize the risk exposure of vulnerabilities to an acceptable level for an organization.
  5. Create a strategy of layering security controls in the organization to make it difficult for adversaries to carry out reconnaissance, exploiting weaknesses in systems and potential exfiltration of data.

MANAGEMENT RECOMMENDATIONS:

  1. Mitigation activity must be tracked, and situations in which there has been a formal decision not to mitigate must be documented. Such practices improve vulnerability management and prove helpful during audits and regulatory inquiries in demonstrating due diligence.
  2. Employ prudent systems, processes, and procedures to mitigate and manage cybersecurity risks, including disaster recovery and business continuity plans.
  3. Implement cybersecurity awareness programs for all employees and contractors.
  4. Create a policy to disable automatic loading of JavaScript from known/unknown websites in your organization’s web browsers. Adversaries could potentially leverage malicious software to exploit the vulnerabilities remotely.
  5. Take advantage of Cyber Intelligence where valuable insights on threat actor activity, detection and mitigation techniques will be helpful to avoid becoming a victim to cyberattacks.
  6. Continuous measurement of performance through process audits and cybersecurity exercises should be conducted.
  7. Integrate CTI feeds with existing SIEM solutions to allow faster detection and alerting of malicious activities. Enrich threat intelligence by combining local monitoring, internal and external feeds.

TACTICAL RECOMMENDATIONS:

  1. Patch software/applications as soon as updates are available.
  2. Ensure backups of critical systems are maintained and can be used to restore data in case a need arises.
  3. Ensure that all accounts and systems are protected by strong passwords and multi-factor authentication.
  4. Deploy detection technologies that are behavioural anomaly-based to detect ransomware attacks and help to take appropriate measures.
  5. Ensure combination security control such as CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart), Device fingerprinting, IP backlisting, Rate-limiting, and Account lockout are implemented and adequately strengthened to thwart automated brute-force attacks.
  6. All transmission control protocol (TCP) or user datagram protocol (UDP) network traffic involving DDNS subdomains should be blocked and logged using the domain name service response policy zone (DNS RPZ).
  7. Ensure active network infrastructure monitoring armed with next-generation security solutions that enable real-time monitoring of any policy violations, data leaks, anomalous activity, and potential threats.
  8. Secure Remote Desktop Protocol (RDP) connections with complex passwords, virtual private networks (VPNs), and Network Level A

Drop us a note at [email protected] if you’d like more insights.

 

This site is registered on wpml.org as a development site. Switch to a production site key to remove this banner.