Weekly Intelligence Report – 14 Sep 2023

Published On : 2023-09-14
Share :
Weekly Intelligence Report – 14 Sep 2023

Ransomware of the Week

CYFIRMA Research and Advisory Team would like to highlight ransomware trends and insights gathered while monitoring various forums. This includes multiple – industries, geography, and technology – which could be relevant to your organization.

Type: Ransomware.
Target Technologies: MS Windows.


CYFIRMA Research and Advisory Team has found ransomware known as Xollam while monitoring various underground forums as part of our Threat Discovery Process.


Xollam, a .NET executable, represents a modified iteration of the TargetCompany ransomware strain.

It encrypts files, appends the “.xollam” extension to filenames, and creates the “FILE RECOVERY.txt” text file containing a ransom note.

The TargetCompany ransomware, which first appeared in June 2021, has undergone multiple name changes, reflecting significant updates like encryption algorithm modifications and different decryption characteristics. Initially, it appended “.tohnichi” extensions, reflecting targeted attacks on specific victim companies. Subsequently, the group used victim organization names as extensions. Security experts later dubbed it “TargetCompany.”

Variants like Tohnichi (2021), Mallox, and Fargo (2022) exploit Microsoft SQL Server vulnerabilities to breach enterprise defences.

Researchers found that Xollam employed a technique resembling phishing attacks by utilizing Microsoft OneNote files to infiltrate enterprises and disseminate malware. This new variant of TargetCompany ransomware spreads through spam emails that carry malicious OneNote attachment files.

It is found that Xollam employs a fileless technique akin to using PowerShell for reflective loading, enabling the downloading of malicious files.

The Xollam strains were also found on the SQL server which is hosted in Azure. TargetCompany ransomware group employs multiple tools for evading and disabling antivirus software, like GMER and Advanced Process Termination. Additionally, the presence of YDArk.exe (PCHunter64) is seen as potentially used for rootkit functionalities.

The ransomware group also attempts to deploy a program called KILLAV to halt security software processes and services. Furthermore, it installs a batch file named “killer.bat” to terminate various services and applications, including those related to GPS, and gathers system information, including computer details and related data.

This ransomware employs encryption techniques, including ChaCha20, Curve25519 (an ECC algorithm), and AES-128, to encrypt the victim’s files.

Screenshot of a Files Encrypted by Xollam Ransomware. (Source: Surface Web)

Screenshot of a ransom note by Xollam Ransomware. (Source: Surface Web)

Relevancy and Insights:

  • This ransomware specifically targets the widely used Windows Operating System, which is prevalent across numerous industries and organizations.
  • The ransomware’s multifaceted encryption methods signify its sophisticated and strong data protection measures against decryption attempts.
  • The ransomware utilizes ChaCha20, which is indeed renowned for its speed and efficiency as a symmetric encryption algorithm.
  • Detect-Debug-Environment: Debugging environments are used by developers to analyze and troubleshoot software. Ransomware that can detect debug environments may have implemented techniques to evade or disable debugging tools.
  • Calls to WMI: The ransomware is making calls to the Windows Management Instrumentation (WMI) framework. WMI is a powerful tool used by many legitimate applications and services, but it can also be exploited by malware to evade detection and gain access to sensitive information.
  • Long sleep periods: The malware performs long sleep during execution, indicating that it may be designed to avoid detection or delay its actions on the compromised system.
  • Direct CPU clock access: The malware’s capability to directly access the CPU clock suggests that it may be able to evade traditional detection methods that rely on monitoring system behaviour.
  • Runtime modules: The ransomware has runtime modules, which means that it can download and execute additional code on the compromised system.

ETLM assessment

CYFIRMA’s Assessment based on available information states that, the TargetCompany ransomware group, including its variants like Xollam, has demonstrated an evolving and sophisticated threat landscape. These attackers continuously adapt their tactics, techniques, and procedures, making it challenging to predict specific future targets. However, organizations across various industries, especially those with vulnerable Microsoft SQL Server deployments, should remain vigilant. Additionally, businesses relying heavily on Microsoft technologies may face increased risk. We will continue to monitor and provide a more comprehensive assessment when further information becomes available.

Following are the TTPs based on MITRE Attack Framework.

Sr.No Tactics Techniques/Sub-Techniques
1 TA0001:Initial Access T1566: Phishing
2 TA0002:Execution T1047: Windows Management Instrumentation
T1059: Command and Scripting Interpreter
T1569.002: System Services: Service Execution
3 TA0003:Persistence T1543.003: Create or Modify System Process: Windows Service
4 TA0004: Privilege Escalation T1055: Process Injection
T1543.003: Create or Modify System Process: Windows Service
5 TA0005: Defense Evasion T1036: Masquerading
T1055: Process Injection
T1070.004: Indicator Removal: File Deletion
T1497: Virtualization/Sandbox Evasion
T1562.001: Impair Defenses: Disable or Modify Tools
T1564.001: Hide Artifacts: Hidden Files and Directories
6 TA0007:Discovery T1010: Application Window Discovery
T1016: System Network Configuration Discovery
T1018: Remote System Discovery
T1057: Process Discovery
T1082: System Information Discovery
T1083: File and Directory Discovery
T1497: Virtualization/Sandbox Evasion
T1518.001: Software Discovery: Security Software Discovery
7 TA0011: Command and Control T1071: Application Layer Protocol
T1095: Non-Application Layer Protocol
T1573: Encrypted Channel
8 TA0040:Impact T1486: Data Encrypted for Impact

Sigma Rule:

title: Shadow Copies Deletion Using Operating Systems Utilities tags:
– attack.defense_evasion
– attack.impact
– attack.t1070
– attack.t1490 logsource:
category: process_creation product: windows
detection: selection1_img:
– Image|endswith:
– ‘\powershell.exe’
– ‘\pwsh.exe’
– ‘\wmic.exe’
– ‘\vssadmin.exe’
– ‘\diskshadow.exe’
– OriginalFileName:
– ‘PowerShell.EXE’
– ‘pwsh.dll’
– ‘wmic.exe’
– ‘diskshadow.exe’
selection1_cli: CommandLine|contains|all:
– ‘shadow’ # will match “delete shadows” and “shadowcopy delete” and “shadowstorage”
– ‘delete’ selection2_img:
– Image|endswith: ‘\wbadmin.exe’
– OriginalFileName: ‘WBADMIN.EXE’ selection2_cli:
– ‘delete’
– ‘catalog’
– ‘quiet’ # will match -quiet or /quiet selection3_img:
– Image|endswith: ‘\vssadmin.exe’
– OriginalFileName: ‘VSSADMIN.EXE’ selection3_cli:
– ‘resize’
– ‘shadowstorage’ CommandLine|contains:
– ‘unbounded’
– ‘/MaxSize=’
condition: (all of selection1*) or (all of selection2*) or (all of selection3*) fields:
– CommandLine
– ParentCommandLine falsepositives:
– Legitimate Administrator deletes Shadow Copies using operating systems utilities for legitimate reason
– LANDesk LDClient Ivanti-PSModule (PS EncodedCommand) level: high
(Source: Surface Web)


  • Implement competent security protocols and encryption, authentication, or access credentials configurations to access critical systems in your cloud and local environments.
  • Ensure that backups of critical systems are maintained which can be used to restore data in case a need arises.


  • A data breach prevention plan must be developed considering, (a) the type of data being managed by the company; (b) the remediation process; (c) where and how the data is stored; (d) if there is an obligation to notify the local authority.
  • Enable zero-trust architecture and multifactor authentication (MFA) to mitigate the compromise of credentials.
  • Foster a culture of cybersecurity, where you encourage and invest in employee training so that security is an integral part of your organization.


  • Update all applications/software regularly with the latest versions and security patches alike.
  • Add the Sigma rules for threat detection and monitoring which will help to detect anomalies in log events, identify and monitor suspicious activities.

Trending Malware of the Week

Type: Information Stealer
Objective: Data theft
Target Technology: MacOS

Active Malware of the Week
This week “MetaStealer” is trending.


Researchers have identified a new malware called MetaStealer, which is targeting Apple macOS. This malware is the latest addition to a growing list of information-stealing malware families that specifically target the macOS platform. MetaStealer stands out from recent information-stealing malware due to its unique characteristics and shows interesting similarities with other malicious software. This highlights the proactive tactics of threat actors who are targeting macOS businesses by pretending to be fake clients and manipulating victims into activating harmful payloads.

Attack Strategy

Researchers have observed the samples of MetaStealer are distributed in malicious application bundles contained in disk image format (.dmg) with names indicating that the targets were business users of Mac devices. MetaStealer disk images contain names such as,

  • “Advertising terms of reference (MacOS presentation).dmg”
  • “CONCEPT A3 full menu with dishes and translations to English.dmg”
  • “AnimatedPoster.dmg”
  • “Brief_Presentation-Task_Overview-(SOW)-PlayersClub.dmg”

The disk image droppers often feature names like “Official Brief Description,” for instance, “(Cover references, tasks, logos, brief) \ YoungSUG_Official_Brief_Description_LucasProd.dmg.” These names imply that they were used as bait to target macOS business users. In a specific incident, a malicious variant of MetaStealer was uploaded to VirusTotal under the name “Contract for payment & confidentiality agreement Lucasprod.dmg,” with a comment from the victim explaining how they were enticed into downloading it.

In addition, various versions of MetaStealer have employed names that impersonate Adobe files or software, like “AdobeOfficialBriefDescription.dmg” and “Adobe Photoshop 2023 (with AI) installer.dmg.” This targeted approach toward business users is somewhat atypical for macOS malware, as it typically spreads through torrent sites or suspicious third- party software sources, where cracked versions of popular business and productivity software are more commonly found.

MetaStealer Malicious Application Bundles

The MetaStealer disk images contain macOS bundles that include the essential components for validity: an Info.plist file, a Resources folder with an icon image, and a MacOS folder containing the malicious executable. While some versions featured an embedded Apple Developer ID string (Bourigaultn Nathan (U5F3ZXR58U)) within the executable, none of the observed samples had a code signature or utilized ad hoc signing. Consequently, to execute these files, the threat actor would likely need to convince or guide the victim to bypass security measures like Gatekeeper and OCSP. Interestingly, all collected samples are exclusively Intel x86_64 binaries, which means they cannot run on Apple’s M1 and M2 machines without Rosetta’s assistance.

MetaStealer Obfuscated Go Executable

The primary executable within MetaStealer bundles is an Intel x86 Mach-O file containing compiled and heavily obfuscated Go source code. This code has had its Go Build ID removed, and function names have been obfuscated. The obfuscation technique used resembles that seen in obfuscated Sliver and Poseidon malware binaries, possibly attributed to the garble obfuscator or similar tools. Despite the obfuscation, some discernible traces of the binary’s functionality remain, including functions for extracting data from the keychain, retrieving stored passwords, and collecting files. Some versions of MetaStealer also appear to target Telegram and Meta services. Additionally, there have been instances of MetaStealer attempting to establish outgoing TCP connections to specific hosts and ports (13[.]125[.]88[.]10 or 13[.]114[.]196[.]60 on port 3000).


  • What sets MetaStealer apart from the recent surge of malware is its distinct focus on business users and its specific goal of extracting valuable keychain and related data from these individuals. This prized information holds significant value and can serve as a springboard for subsequent cybercriminal actions or a means to establish a presence within a broader corporate network.
  • The appearance of MetaStealer underscores a shifting threat landscape that has important implications for macOS users, especially those in business contexts. While macOS has historically been viewed as a secure platform, the increasing attention from threat actors signifies a concerning trend. The theft of keychain data, containing sensitive credentials and encryption keys, poses a substantial risk that could lead to more security breaches.
  • Researchers previously found that threat actors were renting out the macOS infostealer, Atomic Stealer, on a Telegram channel. Recently, they uncovered a similar distribution tactic where Atomic Stealer used malvertising on Google Ads, disguised as a fake TradingView app. Interestingly, some versions of MetaStealer are also pretending to be TradingView, highlighting the adaptability of these cyber threats.


CYFIRMA Observed the continuous improvement and evolution of this by its operators suggest a challenging future for macOS users. As macOS remains the choice of many high-profile individuals, the persistent targeting of this operating system is expected to continue. Various malware families are already focusing on infiltrating macOS, and MetaStealer’s presence adds to this concern. In the coming years, CYFIRMA believes there will be an elevated risk as malware similar to MetaStealer becomes more sophisticated and finds new ways to infiltrate systems, posing a heightened risk to users. The stolen data could be employed for espionage or financial gain, and although macOS malware isn’t widespread, its potential impact on victims could be devastating, making robust cybersecurity practices and vigilance crucial for mitigating future threats.

Indicators of Compromise
Kindly refer to the IOCs Section to exercise controls on your security systems.


  • Deploy an Extended Detection and Response (XDR) solution as part of the organization’s layered security strategy that provides detection/prevention for malware and malicious activities that do not rely on signature-based detection methods.
  • Configure organization’s intrusion detection systems (IDS), intrusion prevention systems (IPS), or any network defence mechanisms in place to alert on — and upon review, consider blocking connection attempts to and from — the external IP addresses and domains listed in the appendix.


  • Regularly reinforce awareness related to different cyberattacks using impersonated domains/spoofed webpages with end-users across the environment and emphasize the human weakness in mandatory information security training sessions.
  • Incorporate a written software policy that educates employees on good practices in relation to software and potential implications of downloading and using restricted software.
  • Security Awareness training should be mandated for all company employees. The training should ensure that employees:
  • Avoid downloading and executing files from unverified sources.
  • Avoid free versions of paid software.


  • Build and undertake safeguarding measures by monitoring/ blocking the IOCs and strengthening defence based on the tactical intelligence provided.
  • Enforce policies to validate third-party software before installation.
  • Evaluate the security and reputation of each piece of open-source software or utilities before usage.
  • Keep all software up-to-date and turn on automatic updates whenever possible.

Weekly Intelligence Trends/Advisory

Weekly Attack Type and Trends

Key Intelligence Signals:

  • Attack Type: Malware Implants, Ransomware Attacks, Vulnerabilities & Exploits, DDoS, Data Leaks.
  • Objective: Unauthorized Access, Data Theft, Data Encryption, Financial Gain, Espionage.
  • Business Impact: Data Loss, Financial Loss, Reputational Damage, Loss of Intellectual Property, Operational Disruption, Reputational Damage.
  • Ransomware –LockBit 3.0 Ransomware | Malware – MetaStealer
  • LockBit 3.0 Ransomware – One of the ransomware groups.
  • Please refer to the trending malware advisory for details on the following:
  • Malware – MetaStealer
  • Behavior –Most of these malware use phishing and social engineering techniques as their initial attack vectors. Apart from these techniques, exploitation of vulnerabilities, defence evasion, and persistence tactics are being observed.

Threat Actor in Focus

New Cyber Espionage Group Redfly Targets Critical Infrastructure

  • Threat Actors: Redfly
  • Attack Type: Unknown
  • Objective: Espionage
  • Target Technology: Windows
  • Target Geographies: Asia
  • Target Industries: Power
  • Business Impact: Operational Disruption

In a recent observation, researchers detected a new China-based cyber-espionage group known as ‘Redfly’. The APT group successfully infiltrated a prominent Asian national electricity grid organization, maintaining unauthorized access to its network for a six-month period. Researchers also uncovered the use of ShadowPad malware activities within the organization’s infrastructure from February 28 to August 3, 2023.

ShadowPad is a remote access Trojan (RAT), that was modified as a successor to the Korplug/PlugX Trojan. It was, for a time, available for purchase in underground forums. Additionally, the presence of keyloggers and specialized file launchers was detected, underscoring the extent of the intrusion. Although ShadowPad is a widely available trojan employed by various APT groups, the investigation highlights Redfly’s unique concentration on critical national infrastructure. The ShadowPad variant utilized in these attacks camouflages its components as VMware files for stealthy behavior.

Moreover, it ensures persistence by creating services named after VMware, scheduled to initiate the malicious executable and DLL during system startup. ShadowPad, renowned for its versatility as a modular RAT, supports functions like data exfiltration to the Command-and-Control server, keystroke recording, file searching and manipulation, and remote command execution. The group utilized Packerloader to load and execute shellcodes wrapped within AES-encrypted files, effectively evading antivirus detection. This tool was employed to execute code modifications in driver files, enabling the creation of credential dumps in the Windows registry for future use while simultaneously erasing Windows security event logs.

Relevancy & Insights:
Experiencing such severe attacks is undoubtedly an unfortunate situation for any nation. Nevertheless, there is a silver lining in the whole incident, the attack was successfully identified and thwarted. Detecting and preventing persistent access to critical infrastructure is crucial, as such access could potentially be exploited for strategic offensives in times of conflict or during periods of geopolitical instability. However, following our recommendation section can help such critical industries avoid the attack in the very initial stage.

ETLM Assessment:
Attacks on critical infrastructure by nation-based threat actors like Redfly can leave substantial threats in the future. These attacks not only disrupt essential services, cause economic losses, or could be leveraged during the ongoing war. The interconnected nature of critical infrastructure can lead to negative effects, affecting multiple sectors. Additionally, such attacks may involve data breaches, and theft, posing multifaceted challenges for defense. As attackers continually refine their methods, it is imperative for governments, organizations, and infrastructure operators to prioritize cybersecurity.


  • Train employees at all levels on cybersecurity best practices and awareness. Human error remains a common entry point for attackers, so educating staff is critical.
  • Assess the security practices of third-party vendors and contractors who have access to critical systems. Ensure they adhere to high-security standards.
  • Implement strict access controls, ensuring that only authorized personnel have access to critical systems. Use strong authentication methods, such as multi-factor authentication (MFA).

Indicators of Compromise
Kindly refer to the IOCs (Indicators of Compromise) Section to exercise controls on your security systems.

Major Geopolitical Developments in Cybersecurity

India G20 Cyber Threat

  • It is reported that the websites of the Delhi Police and Mumbai Police were targeted multiple times during the G20 summit by a Pakistani group called ‘Team Insane PK’, who are largely known for Distributed Denial of Services (DDoS) and defacement attacks on Indian businesses.
  • Each attack caused the websites some downtime (sometimes up to half an hour), and whilst they were able to restore it every time, the attacks were of little significance and arguably unlikely to have caused any embarrassing disruption.
  • These attacks are the latest in a series that have targeted Indian government websites in recent months. In June, Indian Railways and the Reserve Bank of India were compromised, and G20 cyber assaults had been threatened by various malicious groups in the run-up to the summit.
  • This type of public violation is a reminder of the growing threat of cyberattacks – especially against government websites – which demonstrates the vigilance, businesses and organizations need to protect themselves.
  • Prior to the G20 summit, various hacktivist groups from Pakistan and Indonesia had threatened attacks against Indian digital infrastructure.

ETLM Assessment:

  • Cyberattacks were expected during the G20 summit, and the Indian government and various industries took steps to address them beforehand. The impact of these attacks appears to have been overall minimal, most likely due to the meticulous preparation and effective coordination of Indian cybersecurity agencies.
  • CYFIRMA assesses that the risk of further attacks by the same threat actors will persist, especially as India enters a period of national and religious festivities. The threat actors that pose the greatest risk are those from Pakistan and Indonesia, both of which participated in the pre-G20 “OpIndia” planned attack. These actors are primarily motivated by political and religious factors, which increases the risk during this upcoming period. CYFIRMA will continue to monitor these threat actors closely.

Rise in Malware/Ransomware and Phishing

Hanwha Group is Impacted by LockBit 3.0 Ransomware

  • Attack Type: Ransomware
  • Target Industry: Chemicals, Petrochemicals, Manufacturing, Glass & Gases
  • Target Geography: South Korea
  • Ransomware: LockBit 3.0 Ransomware
  • Objective: Data Theft, Data Encryption, Financial Gains
  • Business Impact: Financial Loss, Data Loss, Reputational Damage

From the External Threat Landscape Management (ETLM) Perspective, CYFIRMA observed in the dark forum that a company from South Korea, (www[.]hanwha[.]com), was compromised by LockBit 3.0 Ransomware. Hanwha group is a global leader with a diversified business portfolio, covering green energy, materials, aerospace, ocean & mechatronics, finance, and retail and services, Hanwha group delivers future-ready solutions and impactful innovations that power industries and enrich communities. The data that has been compromised remains unreleased on the leak site, suggesting the possibility of ongoing negotiations between the victim and the ransomware group. It is conceivable that the compromised data includes sensitive and confidential information.

The following screenshot was observed published on the dark web:

Source: Dark Web

Relevancy & Insights:

  • In 2023, LockBit 3.0 ransomware has become a global threat, infiltrating numerous private and government institutions worldwide. Remarkably, the United States has experienced the greatest impact, with approximately 35% of the country’s targeted organizations falling victim to ransomware.
  • Based on the LockBit 3.0 Ransomware victims list, the top 5 Target countries are as follows:
  • Ranking the Top 10 Sectors Most Affected by LockBit 3.0 Ransomware:

ETLM Assessment:

  • While there is not much information available on the recent LockBit 3.0 attack on Hanwha, the data that has been compromised remains unreleased on the leak site, suggesting the possibility of ongoing negotiations between the victim and the ransomware group. It is conceivable that the compromised data includes sensitive and confidential information.
  • CYFIRMA’s assessment remains unchanged, in that we believe the LockBit 3.0 ransomware will maintain a focus on US-based companies as seen in the above graph. However other large global companies can still be targeted as seen in the recent Hanwha attack.

Vulnerabilities and Exploits Vulnerability in Zoom CleanZoom

  • Attack Type: Vulnerabilities & Exploits
  • Target Technology: Client/Desktop Applications
  • Vulnerability: CVE-2023-39201 (CVSS Base Score 7.2)
  • Vulnerability Type: Untrusted Search Path

The vulnerability allows a local user to escalate privileges on the system.

Relevancy & Insights:
The vulnerability exists due to usage of an untrusted search path.

A local user can place a malicious binary into a specific location on the system and execute arbitrary code with escalated privileges.
Affected Products: https[:]//explore[.]zoom[.]us/en/trust/security/security-bulletin/#ZSB- 23045


  • Mitigation Priority: Given the potential for privilege escalation, this vulnerability should be addressed as a high-priority security concern within the context of an ETLM strategy.
  • Patch Availability: Zoom has released a patch or update to address this specific vulnerability. Ensure that the patch management process is in place to promptly apply security updates.

Latest Cyber-Attacks, Incidents, and Breaches Hackers Launch DDoS Attack on Telegram

  • Threat Actors: Anonymous Sudan
  • Attack Type: DDoS
  • Objective: Operational Disruption
  • Target Technology: Instant messaging service
  • Target Geographies: Global
  • Target Industries: Social Media
  • Business Impact: Operational Disruption

The hacker group Anonymous Sudan has launched a distributed denial-of-service (DDoS) attack against Telegram in retaliation to the messaging platform’s decision to suspend their primary account. Purporting to be a hacktivist collective, driven by political and religious motivations, Anonymous Sudan has conducted distributed denial-of-service (DDoS) assaults on entities across Australia, Denmark, France, Germany, India, Israel, Sweden, and the United Kingdom. Since the start of the year, this group has been in operation and set up its Telegram channel on January 18, where they declared their intention to conduct cyberattacks against any entity that opposes Sudan. Their initial activities involved targeting numerous websites in Sweden. Nonetheless, Anonymous Sudan gained widespread attention in June when they initiated a string of disruptive distributed denial-of-service (DDoS) attacks aimed at Microsoft 365, resulting in disruptions to Outlook, Microsoft Teams, OneDrive for Business, and SharePoint Online. Microsoft’s Azure cloud computing platform was also impacted by these attacks. Anonymous Sudan proudly claimed responsibility for the assault on its Telegram channel, and Microsoft, tracking the group under the codename Storm-1359, verified that DDoS attacks were indeed the source of the disruptions. Towards the end of August, the group directed their efforts at X (formerly Twitter), launching a disruptive distributed denial-of-service (DDoS) attack with the aim of pressuring Elon Musk to introduce the Starlink service in Sudan. The assault on Telegram, in contrast to the group’s usual objectives, had a distinct motive, yet it failed to accomplish its goal. Consequently, the hacktivists have temporarily relocated their primary Telegram channel.

Relevancy & Insights:
The observed campaigns have no link to political issues related to Sudan, the group does not seek the support of pro-Islamic groups and only interacts with Russian hackers, and mainly posts in English and Russian, instead of Arabic.

ETLM Assessment:
While the DDoS attack on Telegram is not the normal modus operandi for Anonymous Sudan, and the groups motivations are unclear, it could be that their main account was banned by Telegram. We have seen, they have also previously attacked X (formally Twitter), but their motivations were clearer and this related to the Star link service. We therefore assess that further DDoS attacks against Telegram and its associated platforms are possible if their new account is also banned.

Data Leaks

THAIRUNG GROUP’s Data Advertised in Leak Site

  • Attack Type: Data Leaks
  • Target Industry: Automobiles
  • Target Geography: Thailand
  • Target Technology: SQL Database
  • Objective: Data Theft, Financial Gains
  • Business Impact: Data Loss, Reputational Damage

CYFIRMA Research team observed a potential data leak related to Thairung Group, {www[.]thairunggroup[.]co[.]th}. Thairung is a leading group of companies in the automobile business with more than 40 years of experience, that is now expanding into the property sector. The compromised data consists of customer IDs, first names, last names, districts, provinces, postcodes, phone numbers, fax numbers, mobile numbers, emails, and other confidential information stored in SQL format. The total size of the compromised data is 8 gigabytes.

Source: Underground forums

Relevancy & Insights:
Cybercriminals driven by financial incentives are perpetually searching for opportunities involving unprotected and susceptible computer systems and software applications. Most of these malicious actors conduct their activities within covert online communities where they engage in discussions related to their illicit pursuits, including the trade of stolen digital assets. In contrast to other financially motivated threat actors, such as ransomware or extortion groups, who often publicize their attacks, these individuals prefer to remain discreet. Their modus operandi involves infiltrating and pilfering valuable information through the exploitation of unpatched systems or vulnerabilities in software or hardware. Subsequently, they promote the stolen data for sale in clandestine online forums, where it may be acquired, resold, and repurposed by other cybercriminals for their own nefarious activities.

Other Observations

CYFIRMA Research team observed a potential data leak related to the Dergi Platform, {www[.]dergiplatformu[.]com}. Dergi Platform is used for academic journals published anywhere in the world, in Turkey, or in electronic media, hosting and management services, offering editorial process. The compromised data includes email addresses, passwords, phone numbers, and various confidential details formatted in SQL.

Source: Underground forums


  • Attack Surface Management should be adopted by organizations, ensuring that a continuous closed-loop process is created between attack surface monitoring and security testing.
  • Deploy a unified threat management strategy – including malware detection, deep learning neural networks, and anti-exploit technology – combined with vulnerability and risk mitigation processes.
  • Incorporate Digital Risk Protection (DRP) in the overall security posture that acts as a proactive defence against external threats targeting unsuspecting customers.
  • Implement a holistic security strategy that includes controls for attack surface reduction, effective patch management, active network monitoring, through next generation security solutions and ready to go incident response plan.
  • Create risk-based vulnerability management with deep knowledge about each asset. Assign a triaged risk score based on the type of vulnerability and criticality of the asset to help ensure that the most severe and dangerous vulnerabilities are dealt with first.


  • Take advantage of global Cyber Intelligence providing valuable insights on threat actor activity, detection, and mitigation techniques.
  • Proactively monitor the effectiveness of risk-based information security strategy, the security controls applied and the proper implementation of security technologies, followed by corrective actions remediations, and lessons learned.
  • Move beyond the traditional model of security awareness towards improved simulation and training exercises that mimic real attack scenarios, account for behaviours that lead to a compromised and are measured against real attacks the organization receives.
  • Consider implementing Network Traffic Analysis (NTA) and Network Detection and Response (NDR) security systems to compensate for the shortcoming of EDR and SIEM solutions.
  • Detection processes are tested to ensure awareness of anomalous events. Timely communication of anomalies and continuously evolved to keep up with refined ransomware threats.


  • Patch software/applications as soon as updates are available. Where feasible, automated remediation should be deployed since vulnerabilities are one of the top attack vectors.
  • Consider using security automation to speed up threat detection, improve incident response, increased the visibility of security metrics, and rapid execution of security checklists.
  • Build and undertake safeguarding measures by monitoring/ blocking the IOCs and strengthen defences based on tactical intelligence provided.
  • Deploy detection technologies that are behavioural anomaly-based to detect ransomware attacks and help to take appropriate measures.
  • Implement a combination of security control such as reCAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart), Device fingerprinting, IP backlisting, Rate-limiting, and Account lockout to thwart automated brute-force attacks.
  • Ensure email and web content filtering uses real-time blocklists, reputation services, and other similar mechanisms to avoid accepting content from known and potentially malicious sources.
This site is registered on wpml.org as a development site. Switch to a production site key to remove this banner.