Weekly Intelligence Report – 14 Apr 2023

Published On : 2023-04-14
Share :
Weekly Intelligence Report – 14 Apr 2023

Weekly Attack Type and Trends

Key Intelligence Signals:

  • Attack Type: Malware Implants, Ransomware Attacks, Vulnerabilities & Exploits, DDoS
  • Objective: Unauthorized Access, Data Theft, Data Encryption, Financial Gains, Payload Delivery, Cyber Espionage, Data destruction, Persistence, and Lateral movement
  • Business Impact: Data Loss, Financial Loss, Reputational Damage, Loss of Intellectual Property, Operational Disruption, Information Exposures
  • Ransomware – Royal Ransomware | Malware – CryptoClippy
  • Royal Ransomware – One of the ransomware groups.
  • Please refer to the trending malware advisory for details on the following:
  • Malware – CryptoClippy
  • Behavior –Most of these malwares use phishing and social engineering techniques as their initial attack vector. Apart from these techniques, exploitation of vulnerabilities, defence evasion, and persistence tactics are being observed.

Threat Actor in Focus

Mercury aka MuddyWater Collaborated with an Unknown Threat Actor Named DEV-1084

  • Suspected Threat Actors: MuddyWater aka Mercury
  • Attack Type: Vulnerability Exploitation followed by malware implant
  • Objective: Data Destruction, Lateral movement, and Persistence
  • Target Technology: Web Application and Windows
  • Business Impact: Data Loss and Operational Disruption

In recent activity, researchers discovered Iran-based threat actor MERCURY targeting both on-premises and cloud environments. This threat actor likely worked together with an unidentified threat actor temporarily named DEV-1084 to carry out destructive cyber-attacks. The threat was disguised as a ransomware attack; however, they aimed to disrupt and leave mass destruction. The origin of the attack was noted in July 2022. It appears that MERCURY, the attacker, gained initial access by taking advantage of known vulnerabilities (Log4j) in unpatched applications. Afterward, the attacker transferred the access to DEV-1084, who then carried out extensive reconnaissance and discovery to establish persistence and move laterally throughout the network. This process was slow, and the attacker often waited for weeks or even months before moving to the next stage of the attack. DEV-1084 was found to be using compromised credentials with high privileges to launch massive attacks, leading to the destruction of numerous resources, such as server farms, virtual machines, storage accounts, and virtual networks, as well as sending emails to both internal and external recipients.

Threat actors use various techniques to maintain persistence and gain access to compromised devices, such as installing web shells, elevating privileges, and stealing credentials. Once persistence is established, they perform extensive discovery using native Windows tools and commands. The attackers then move laterally throughout the network using acquired credentials, leveraging remote scheduled tasks, WMI, and remote services to launch attacks.

Failing to patch the Log4j vulnerability, which has a high CVE score between 9 and 10, has attracted Advanced Persistent Threats (APTs) such as APT35, APT41, Lazarus, Burdworm, and TunnelVision, and many other APTs, however, this one is a fresh observation where MaddyWater was seen exploiting Log4j after a long gap.

The current assessment by researchers indicates that MERCURY gains access to targets through remote exploitation of unpatched internet-facing devices. Following the initial access, MERCURY transfers control to DEV-1084. At present, it remains unclear whether DEV-1084 operates independently of MERCURY and collaborates with other Iranian actors or if it is an ‘effects-based’ sub-team of MERCURY that emerges only upon receiving instructions to carry out destructive attacks.

Major Geopolitical Developments in Cybersecurity

China develops $500 million undersea internet cable network

Chinese state-owned telecom firms are developing a $500m undersea fiber-optic internet cable network that would link Asia, the Middle East, and Europe, rivaling a similar U.S.-backed project. According to media reports, three of China’s main carriers are now mapping out the subsea cable network, which would link Hong Kong to China’s island province of Hainan before traveling to Singapore, Pakistan, Saudi Arabia, Egypt, and France. The Chinese government will provide funding for HMN Technologies to construct the cable. Due to worries, the United States has already blocked Chinese underwater cable projects that would have connected the two countries. Almost 95% of all internet data is routed across submarine cables, and experts have warned that China’s access to these cables might be used for spying.

Newly described APT attributed to North Korea

Researchers have recently named and described a formerly unnamed cybercrime group, now known as APT43. After five years of observing the activities of this APT, the researchers have also established the actor’s links to North Korea based on its targeting being aligned with the mission of the Reconnaissance General Bureau (RGB), North Korea’s main foreign intelligence service. Researchers have also described APT’s activity in acquiring and laundering cryptocurrency via illicit means to provide funds for DPRK’s espionage operations. This contrasts with other North Korean actors who appear to send the stolen cryptocurrency down the line to finance the government’s general operations in Pyongyang.

According to further reports, the group also focuses on targeted espionage beyond criminal activities. The espionage subset of activity by this actor has been dubbed “ARCHIPELAGO” and targets individuals with expertise in North Korean policy issues such as sanctions, human rights, and nuclear non-proliferation. In this campaign, the APT invests time and effort in building relations with its targets, often corresponding with them by email over several days or weeks before finally sending a malicious link or file. Researchers also note that under ARCHIPELAGO APT43 concentrated on conventional credential phishing attacks for several years and that the actor frequently password-protects their malware to prevent AV scanning and distributes the password to recipients in a phishing email.

Suspected Russian government APT leader exposed by hacktivists

The Ukrainian hacktivist group InformNapalm has released more information on the officer believed to oversee the Russian government’s advanced persistent threat known as Fancy Bear or APT 28, which is a part of Russian military intelligence or more precisely the 85th Main Special Service Center of the GRU, military unit #26165. The officer in question is Lieutenant Colonel Sergey Alexandrovich Morgachev and Ukrainian hacktivists from the Cyber Resistance team handed over a complete dump of his correspondence and personal files for publication. The hacktivists stated that all interested parties, “from the FBI to journalists, experts and members of the public … can independently investigate the facts set forth in this publication and find other information that may be useful for further investigations”. The officer’s data contains details about his personal life and current residence and service in 2023, including numerous images with scans of personal documents and people associated with him. Morgachev is currently wanted by the FBI for Conspiracy to Commit an Offense Against the United States; Aggravated Identity Theft or Conspiracy to Commit Money Laundering.

Other Observations

CYFIRMA Research team observed that the recent collapse of Silicon Valley Bank (SVB) has raised concerns among cybersecurity experts about potential risks for the financial sector. Cybercriminals often use such events to craft cyber-attacks, since people are more likely to fall for scams when emotionally vulnerable or worried about their financial security. The collapse of a financial institution can create chaos and uncertainty, which cybercriminals can exploit to their advantage. Cybercriminals may use a bank crash to gain access to sensitive information by tricking users into divulging their login credentials, which they can then use to steal money or other sensitive information.

Source: Surface Web


  • Attack Surface Management should be adopted by organizations, ensuring that a continuous closed-loop process is created between attack surface monitoring and security testing.
  • Deploy a unified threat management strategy – including malware detection, deep learning neural networks, and anti-exploit technology – combined with vulnerability and risk mitigation processes.
  • Incorporate Digital Risk Protection (DRP) in the overall security posture that acts as a proactive defence against external threats targeting unsuspecting customers.
  • Implement a holistic security strategy that includes controls for attack surface reduction, effective patch management, active network monitoring, through next generation security solutions and ready to go incident response plan.
  • Create risk-based vulnerability management with deep knowledge about each asset. Assign a triaged risk score based on the type of vulnerability and criticality of the asset to help ensure that the most severe and dangerous vulnerabilities are dealt with first.


  • Take advantage of global Cyber Intelligence providing valuable insights on threat actor activity, detection, and mitigation techniques.
  • Proactively monitor the effectiveness of risk-based information security strategy, the security controls applied and the proper implementation of security technologies, followed by corrective actions remediations, and lessons learned.
  • Move beyond the traditional model of security awareness towards improved simulation and training exercises that mimic real attack scenarios, account for behaviours that lead to a compromised, and are measured against real attacks the organization receives.
  • Consider implementing Network Traffic Analysis (NTA) and Network Detection and Response (NDR) security systems to compensate for the shortcoming of EDR and SIEM solutions.
  • Detection processes are tested to ensure awareness of anomalous events. Timely communication of anomalies and continuously evolved to keep up with refined ransomware threats.


  • Patch software/applications as soon as updates are available. Where feasible, automated remediation should be deployed since vulnerabilities are one of the top attack vectors.
  • Consider using security automation to speed up threat detection, improved incident response, increased the visibility of security metrics, and rapid execution of security checklists.
  • Build and undertake safeguarding measures by monitoring/ blocking the IOCs and strengthen defences based on tactical intelligence provided.
  • Deploy detection technologies that are behavioural anomaly-based to detect ransomware attacks and help to take appropriate measures.
  • Implement a combination of security control such as reCAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart), Device fingerprinting, IP backlisting, Rate-limiting, and Account lockout to thwart automated brute-force attacks.
  • Ensure email and web content filtering uses real-time blocklists, reputation services, and other similar mechanisms to avoid accepting content from known and potentially malicious sources.
This site is registered on wpml.org as a development site. Switch to a production site key to remove this banner.