Weekly Intelligence Report – 18 Aug 2023

Published On : 2023-08-18
Share :
Weekly Intelligence Report – 18 Aug 2023

Ransomware of the Week

CYFIRMA Research and Advisory Team would like to highlight ransomware trends and insights gathered while monitoring various forums. This includes multiple – industries, geography, and technology – which could be relevant to your organization.

Type: Ransomware.
Target Technologies: MS Windows.

Introduction
CYFIRMA Research and Advisory Team has found Knight ransomware while monitoring various underground forums as part of our Threat Discovery Process.

Relevancy:
This ransomware targets the Windows Operating system commonly used by many organizations of various industries.

Knight ransomware:
By the close of July, Cyclops a Ransomware-as-a-Service provider underwent a rebranding and emerged as Knight. Alongside this change, they introduced modifications to the lite encryptor, enabling ‘batch distribution,’ and initiated a fresh data leak site.

The researcher detected a spam campaign disguising itself as TripAdvisor complaints, but its underlying intent is to distribute the Knight ransomware. The researcher found that the emails contain ZIP file attachments named ‘TripAdvisorComplaint.zip,’ within which lies an executable file named ‘TripAdvisor Complaint – Possible Suspension.exe.’

A more recent iteration of this campaign was identified and analyzed recently. This version involves an HTML attachment named ‘TripAdvisor-Complaint-[random].PDF.htm.’

Upon opening the HTML file, it employs Mr. D0x’s Browser-in-the-Browser phishing method, creating an apparent browser window resembling TripAdvisor’s interface. This deceptive browser simulation prompts the user to review a restaurant complaint. Yet, clicking the ‘Read Complaint’ button initiates the download of an Excel XLL file named ‘TripAdvisor_Complaint-Possible-Suspension.xll.’ The XLL file is generated using Excel-DNA, a tool that integrates .NET functionality into Microsoft Excel to execute malware upon opening.

When the XLL is accessed, Microsoft Excel identifies the Mark of the Web (MoTW) typically associated with internet-downloaded and emailed files. If the MoTW is detected, the .NET add-in within the Excel document won’t activate, thwarting the attack unless manually unblocked by the user.

However, in the absence of the MoTW flag, Excel prompts the user to decide whether they wish to enable the add-in. Enabling the add-in triggers the injection of the Knight Lite ransomware encryptor into a new explorer.exe process, initiating the encryption of computer’s files.

During the encryption process, the names of encrypted files will have the .knight_l extension appended, with the ‘l’ presumably representing ‘lite.’ The ransomware will also create a ransom note named How To Restore Your Files.txt in each folder on the computer. The ransom note in this campaign demands $5,000 be sent to a listed Bitcoin address and contains a link to the Knight Tor site.

Screenshot of files encrypted by Knight Ransomware (source: surface web)

Knight Ransomware Note (source: surface web)

Insights:

  • Detect-Debug-Environment: Debugging environments are used by developers to analyze and troubleshoot software. Ransomware that can detect debug environments may have implemented techniques to evade or disable debugging tools.
  • Behavior Checks: The ransomware conducts behaviour checks on network adapters, which could indicate attempts to identify potential vulnerabilities or network configurations that could aid in its propagation or evasion of detection.
  • Long sleep periods: The malware performs long sleep during execution, indicating that it may be designed to avoid detection or delay its actions on the compromised system.
  • Calls to WMI: The ransomware is making calls to the Windows Management Instrumentation (WMI) framework. WMI is a powerful tool used by many legitimate applications and services, but it can also be exploited by malware to evade detection and gain access to sensitive information.
  • Knight possibly utilizes a sophisticated phishing kit emulating TripAdvisor complaints, tricking users into enabling a malicious Excel add-in, leading to Knight ransomware infection by bypassing security measures.

Following are the TTPs based on MITRE Attack Framework.

Sr. No Tactics Techniques/Sub-Techniques
1 TA0001: Initial Access T1566: Phishing
2 TA0002: Execution T1059: Command and Scripting Interpreter
T1129: Shared Modules
3 TA0003: Persistence T1574.002: Hijack Execution Flow: DLL Side-Loading
4 TA0004: Privilege Escalation T1574.002: Hijack Execution Flow: DLL Side-Loading
T1055: Process Injection
5 TA0005: Defense Evasion T1027: Obfuscated Files or Information
T1036: Masquerading
T1055: Process Injection
T1112: Modify Registry
T1497.002: Virtualization/Sandbox Evasion: User Activity Based Checks
T1564.003: Hide Artifacts: Hidden Window
T1574.002: Hijack Execution Flow: DLL Side-Loading
6 TA0006: Credential Access T1056.001: Input Capture: Keylogging
7 TA0007: Discovery T1010: Application Window Discovery
T1012: Query Registry
T1018: Remote System Discovery
T1057: Process Discovery
T1082: System Information Discovery
T1083: File and Directory Discovery
T1497.002: Virtualization/Sandbox Evasion: User Activity Based Checks
T1518.001: Software Discovery: Security Software Discovery
T1614: System Location Discovery
T1614.001: System Location Discovery: System Language Discovery
8 TA0009: Collection T1056.001: Input Capture: Keylogging
T1113: Screen Capture
T1115: Clipboard Data
9 TA0011: Command and Control T1071: Application Layer Protocol
T1090: Proxy
T1095: Non-Application Layer Protocol
T1573: Encrypted Channel
10 TA0040: Impact T1486: Data Encrypted for Impact

Sigma Rule:
title: Creation of an Executable by an Executable
tags:
– attack.resource_development
– attack.t1587.001
logsource:
product: windows
category: file_event
detection:
selection:
Image|endswith: ‘.exe’
TargetFilename|endswith: ‘.exe’
filter_whitelist:
Image:
– ‘C:\Windows\System32\msiexec.exe’
– ‘C:\Windows\system32\cleanmgr.exe’
– ‘C:\Windows\explorer.exe’
– ‘C:\WINDOWS\system32\dxgiadaptercache.exe’
– ‘C:\WINDOWS\system32\Dism.exe’
– ‘C:\Windows\System32\wuauclt.exe’
filter_update:
# Security_UserID: S-1-5-18
# Example:
# TargetFilename: C:\Windows\SoftwareDistribution\Download\803d1df4c931df4f3e50a022cda56e88\WindowsUpdateBox.exe
Image: ‘C:\WINDOWS\system32\svchost.exe’
TargetFilename|startswith: ‘C:\Windows\SoftwareDistribution\Download\’
filter_upgrade:
Image: ‘C:\Windows\system32\svchost.exe’
TargetFilename|contains|all:
# Example:
# This example was seen during windows upgrade
# TargetFilename: :\WUDownloadCache\803d1df4c931df4f3e50a022cda56e29\WindowsUpdateBox.exe
– ‘:\WUDownloadCache\’
– ‘\WindowsUpdateBox.exe’
filter_windows_update_box:
# This FP was seen during Windows Upgrade
# ParentCommandLine: C:\WINDOWS\system32\svchost.exe -k netsvcs -p -s wuauserv
Image|startswith: ‘C:\WINDOWS\SoftwareDistribution\Download\’
Image|endswith: ‘\WindowsUpdateBox.Exe’
TargetFilename|startswith: ‘C:\$WINDOWS.~BT\Sources\’
filter_tiworker:
Image|startswith: ‘C:\Windows\WinSxS\’
Image|endswith: ‘\TiWorker.exe’
filter_programfiles:
– Image|startswith:
– ‘C:\Program Files\’
– ‘C:\Program Files (x86)\’
– TargetFilename|startswith:
– ‘C:\Program Files\’
– ‘C:\Program Files (x86)\’
filter_defender:
Image|startswith:
– ‘C:\ProgramData\Microsoft\Windows Defender\’
– ‘C:\Program Files\Windows Defender\’
filter_windows_apps:
TargetFilename|contains: ‘\Microsoft\WindowsApps\’
filter_teams:
Image|endswith: ‘\AppData\Local\Microsoft\Teams\Update.exe’
TargetFilename|endswith:
– ‘\AppData\Local\Microsoft\Teams\stage\Teams.exe’
– ‘\AppData\Local\Microsoft\Teams\stage\Squirrel.exe’
– ‘\AppData\Local\Microsoft\SquirrelTemp\tempb\’
filter_mscorsvw:
# Example:
# ParentCommandLine: “C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe” ExecuteQueuedItems /LegacyServiceBehavior
# Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
# TargetFilename: C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\4f8c-0\MSBuild.exe
# TargetFilename: C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\49bc-0\testhost.net47.x86.exe
# TargetFilename: C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\39d8-0\fsc.exe
Image|startswith: ‘C:\Windows\Microsoft.NET\Framework\’
Image|endswith: ‘\mscorsvw.exe’
TargetFilename|startswith: ‘C:\Windows\assembly\NativeImages_’
filter_vscode:
Image|contains: ‘\AppData\Local\’
Image|endswith: ‘\Microsoft VS Code\Code.exe’
TargetFilename|contains: ‘\.vscode\extensions\’
filter_githubdesktop:
Image|endswith: ‘\AppData\Local\GitHubDesktop\Update.exe’
# Example TargetFileName:
# \AppData\Local\SquirrelTemp\tempb\lib\net45\GitHubDesktop_ExecutionStub.exe
# \AppData\Local\SquirrelTemp\tempb\lib\net45\squirrel.exe
TargetFilename|contains: ‘\AppData\Local\SquirrelTemp\’
filter_windows_temp:
TargetFilename|startswith: ‘C:\WINDOWS\TEMP\’
condition: selection and not 1 of filter_*
falsepositives:
#Please contribute to FP to increase the level
– Software installers
– Update utilities
– 32bit applications launching their 64bit versions
level: low

(Source: Surface Web)

Indicators of Compromise
Kindly refer to the IOCs section to exercise controls on your security systems.

STRATEGIC RECOMMENDATION

  • Implement competent security protocols and encryption, authentication, or access credentials configurations to access critical systems in your cloud and local environments.
  • Ensure that backups of critical systems are maintained which can be used to restore data in case a need arises.

MANAGEMENT RECOMMENDATION

  • A data breach prevention plan must be developed considering, (a) the type of data being managed by the company; (b) the remediation process; (c) where and how the data is stored; (d) if there is an obligation to notify the local authority. 
  • Enable zero-trust architecture and multifactor authentication (MFA) to mitigate the compromise of credentials.
  • Foster a culture of cybersecurity, where you encourage and invest in employee training so that security is an integral part of your organization.

TACTICAL RECOMMENDATION

  • Build and undertake safeguarding measures by monitoring/ blocking the IOCs and strengthening defence based on the tactical intelligence provided.
  • Update all applications/software regularly with the latest versions and security patches alike.
  • Add the Sigma rules for threat detection and monitoring which will help to detect anomalies in log events, identify and monitor suspicious activities.

Trending Malware of the Week

Type: Remote Access Trojan (RAT)
Objective: Steal Sensitive Information, Remote Access
Target Geographies: Thailand, Indonesia, Vietnam, Philippines, Peru
Target Industries: Financial Institutions, Banks, and Government.
Target Technology: Android OS

Active Malware of the Week
This week “Gigabud” is trending.

Gigabud
Researchers have discovered a new malware called Gigabud RAT that has a unique characteristic of not initiating any malicious actions until a user is authorized into the malicious application by a fraudster, making it difficult to detect. Unlike using HTML overlay attacks, this malware primarily collects sensitive information by recording the screen.

Additionally, a related variant of this malware, named Gigabud.Loan, which does not have Remote Access Trojan (RAT) capabilities, has been found. Gigabud.Loan masquerades as a fake loan application, tricking users into sharing their input data. Both Gigabud RAT and Gigabud.Loan hxave the same architecture and certificate, implying they belong to the same malware family. Since July 2022, Gigabud.Loan has been masquerading as applications of fictional financial institutions from Thailand, Indonesia, and Peru.

Attack Strategy
Both the Gigabud.Loan and Gigabud.RAT malware spread through phishing websites across countries such as Thailand, Indonesia, Vietnam, the Philippines, and Peru. The malware is delivered to victims through methods like smishing (via instant messengers, SMS, or social networks), urging them to visit phishing websites under the guise of tax audits and refunds. These sites lead to the download of malicious Android applications masquerading as official government and financial institution apps. These applications are hosted on consonant domains.

Gigabud.Loan employs direct APK file delivery through instant messengers. Android devices allow users to install apps from third-party sources except for official app stores. These devices generally prevent app installation from unknown sources, but the “REQUEST_INSTALL_PACKAGES” permission, considered high-risk, allows malware to bypass this restriction. This permission allows apps to bypass the “Install from Unknown Sources” setting and allow APK installations outside the Google Play Store. Victims are deceived into granting this permission, enabling the installation of malicious APKs.

Gigabud.RAT and Gigabud.Loan are alike in how they spread, but they do different things once they’re on a device. Let’s take a closer look at those differences.

Gigabud.RAT
The Gigabud.RAT trojan disguises itself as legitimate apps, like those from financial institution and governments. It uses techniques like capturing screens and logging keystrokes to steal sensitive information like passwords. Additionally, it can bypass authentication and 2nd factors, replace bank card numbers in clipboards, and perform automated payments through the victim’s device remote access.

When the user opens the fraudulent Gigabud trojan, it pretends to be a real app and shows a login screen. After the user enters their login details, Gigabud asks for two 6-digit codes. This makes it harder for researchers to analyze and makes users think it’s a real app. Then, Gigabud shows a fake “Activation” page with a button that leads to a “Permission Request” page. The number of options on this page varies depending on the version.They are primarily used for:

  • installing the Add-On application
  • granting permission to use Accessibility Service
  • granting permission to Start Screen Recording
  • granting permission to display the application over other apps.

After the user gives these permissions, Gigabud is able to carry out its malicious actions. Once all the required permissions are given, the trojan displays a “Wait” page with an endless loading animation and the message “Please Wait for Information.”

Screen Capture- Screen capturing serves both legitimate software applications and malware purposes. Legitimate uses involve apps for recording screens, remote access, and productivity, aiding tasks from content creation to troubleshooting and remote support. Such apps use Android’s mechanisms, like virtual displays and the MediaProjection API. However, this same feature is also exploited by malware to steal sensitive user information, such as login credentials and personal data.

Accessibility Service to perform gestures- Accessibility services on Android are designed to help users with disabilities by improving how they interact with their devices. Accessibility services provide enhanced functionalities and modifications to the user interface, allowing individuals with visual, auditory, physical, or cognitive impairments to navigate, interact, and utilize their Android devices more easily. These services offer features like screen reading, gesture controls, and speech-to-text, aiding those with impairments. They promote inclusivity and independence.

However, some malware, including banking trojans like Gustuff and Gigabud, exploit these services for harmful purposes. In Gigabud’s case, it uses an accessibility service feature called TouchAction to gain remote access to a victim’s device. This allows the attacker to perform actions on the device, potentially bypassing defenses and even making automated payments from the victim’s device. As a result, devices with accessibility services are considered suspicious from an anti-fraud perspective.

Accessibility Service as a keylogger – Recent versions of Gigabud malware include a keylogging module that misuses accessibility services. This module is intended to customize the password-stealing process for various banking apps. While currently, only one banking app is targeted by this module, it’s suspected that more modules will be added to steal data from other banking apps. This keylogger feature uses accessibility services.

Gigabud.Loan
Gigabud.Loan is a variant of Gigabud malware that imitates a fake loan service and has no RAT Capabilities. It tricks users by pretending to be a non-existent financial institution and gathers personal details like full name, identity number, national identity document photo, digital signature, education, income information, bank card information, and phone number to obtain a loan.

This scam involves fraudsters posing as lenders and requesting money or personal information from victims. They use deceptive tactics like unsolicited emails or phone calls to convince victims to provide sensitive data or pay upfront fees. In a typical fake loan request fraud scenario, the fraudster may ask victims to pay upfront fees or provide personal information, such as bank account numbers or social security numbers, to process the loan application. They may promise low interest rates or guaranteed approval to entice victims into sending money or providing sensitive information. However, once the victims take action, the scammers disappear, and the victims are left without a loan and may suffer financial losses.

INSIGHTS

  • Gigabud is a versatile threat in the digital world, able to change its appearance to trick you. It often shows up as something you’d expect, like a bank app or an email from a familiar organization. This camouflage helps it sneak past your defenses and get into your device. Gigabud constantly changes its strategies to outsmart security systems. Its regular updates on tactics pose a challenge for antivirus software to stay effective.
  • Gigabud malware keeps changing and getting smarter, so it’s important to be cautious with messages and apps from unknown sources. Android tries to help by letting you decide which apps can do what on your device, but it’s still best to be on your guard and only trust well-known sources. Cybersecurity experts and researchers are always working together to catch these digital tricksters and keep your devices safe.
  • Gigabud.Loan targeted account holders of more than 99 financial institutions in countries like Thailand, Indonesia, Vietnam, the Philippines, and Peru. On the other hand, Gigabud.RAT targeted around 25 organizations including companies, banks, and government departments in countries like Thailand, Peru, the Philippines, Indonesia, and Vietnam. It tried to mimic these organizations, likely to deceive users. Its distribution tactics, often involving phishing messages and fraudulent apps, enable it to reach users across different parts of the world. However, given the adaptable nature of malware, its target geography could potentially expand or shift over time as new versions and variants emerge.

STRATEGIC RECOMMENDATION

  • Incorporate Digital Risk Protection (DRP) as part of the overall security posture to proactively defend against impersonations and phishing attacks.
  • Maintain an up-to-date inventory of all active software used within the organization and perform regular self-audit of workstations, servers, laptops, mobile devices to identify unauthorized/ restricted software.
  • Deploy an Extended Detection and Response (XDR) solution as part of the organization’s layered security strategy that provides detection/prevention for malware and malicious activities that do not rely on signature-based detection methods.

MANAGEMENT RECOMMENDATION

  • Regularly reinforce awareness related to different cyberattacks using impersonated domains/spoofed webpages with end-users across the environment and emphasize the human weakness in mandatory information security training sessions.
  • Provide your staff with basic cybersecurity hygiene training since many targeted attacks start with phishing or other social engineering techniques.

TACTICAL RECOMMENDATION

  • Always listen to the research community and customer feedback when contacted about potential vulnerabilities detected in your infrastructure, or related compliance issues.
  • Enforce policies to validate third-party software before installation.
  • If your device has been infected, do the following:
  • Isolate the infected device from the network.
  • Contact experts to receive detailed information about the risks that the malware could pose to your device.

Weekly Intelligence Trends/Advisory

Weekly Attack Type and Trends

Key Intelligence Signals:

  • Attack Type: Malware Implants, Spear Phishing, Ransomware Attacks, Vulnerabilities & Exploits, DDoS, Data Leaks.
  • Objective: Unauthorized Access, Data Theft, Data Encryption, Financial Gain. Espionage.
  • Business Impact: Data Loss, Financial Loss, Reputational Damage, Loss of Intellectual Property, Operational Disruption, Reputational Damage.
  • Ransomware –LockBit 3.0 Ransomware | Malware – Gigabud
  • LockBit 3.0 Ransomware – One of the ransomware groups.
  • Please refer to the trending malware advisory for details on the following:
  • Malware – Gigabud
  • Behavior – Most of this malware uses phishing and social engineering techniques as its initial attack vector. Apart from these techniques, exploitation of vulnerabilities, defence evasion, and persistence tactics are being observed.

Threat Actor in Focus

APT29 Exploits Duke Malware in Recent NATO Government Espionage Campaign

  • Threat Actors: APT29 aka Cozy Bear
  • Attack Type: Spear Phishing
  • Objective: Espionage
  • Target Technology: Windows
  • Target Geographies: Europe
  • Target Industries: Government
  • Business Impact: Operational Disruption

Summary:
In a recent observation, a Russian-sponsored Advanced persistent group named APT29 group has recently undertaken cyber espionage against NATO government agencies. APT29 believed to be guided by Russia’s Foreign Intelligence Service (SVR), primarily targets governments, political groups, research institutions, and critical sectors such as energy, healthcare, and finance across the U.S. and Europe. Throughout the Ukraine conflict, APT29 has carried out cyber assaults on the Ukrainian military, political entities, diplomatic units, think tanks, and non-profits. In a recent attack on governments under NATO countries, the threat actor Impersonated the German embassy and dropped two malicious PDF files that carried diplomatic invitation lures. One PDF delivered a Duke malware variant associated with Russian-backed APT29, while the other served for testing without a payload, signaling if opened. The lure themes, malware, and victimology align with APT29’s activities, attributing the campaign to Russia’s Foreign Intelligence Service. The attackers used Zulip, an open-source chat app, for command-and-control, disguising their actions in legitimate web traffic. The first PDF, themed “Farewell to Ambassador of Germany” and “Day of German Unity,” contained embedded JavaScript for multi-stage payload delivery. It triggered an alert upon execution, launching a malicious HTML Application (HTA). This HTA utilized DLL sideloading to deploy a Duke malware variant. The threat actor employed Windows API hashing to obfuscate function calls and XOR encryption to hide string values. Zulip was leveraged for communication with actor-controlled chat rooms, blending with legitimate web traffic. Another PDF, themed “Day of German Unity,” was likely for reconnaissance. Though payload-less, it notified the actor via a compromised domain upon being opened. In these campaigns’ tactics, APT29’s used legitimate web services like Microsoft OneDrive.

Insights:
NATO has experienced its second attack, following a previous incident in April, where the APT29 utilized spear phishing, posing as European embassy messages, to target diplomatic personnel. PDF attachments in emails linked to deceptive web pages through JavaScript, utilizing the HTML Smuggling technique. That enabled download of payloads like .ISO, .ZIP, .IMG files. The initial payload, termed SNOWYAMBER by researchers, was a lightweight custom malware dropper, that gathered system data and connected to a Notion-hosted command-and-control server.

Indicators of Compromise
Kindly refer to the IOCs (Indicators of Compromise) Section to exercise controls on your security systems.

Major Geopolitical Developments in Cybersecurity

Chinese hackers target industrial systems in Eastern Europe
Researchers have recently reported on a campaign of a group known as APT31 (or “Judgment Panda” or “Zirconium”), which has been targeting industrial systems in Eastern Europe. According to the researchers, the attackers aimed to establish a permanent channel for data exfiltration, including data stored on air-gapped systems. In total, at least 15 implants and their variations have been planted by the hackers in this campaign.

The group is generally regarded to be part of the Chinese government intelligence programme. While most of its activity has been part of the extensive Chinese industrial espionage campaign, the group has also been implicated in the collection of political intelligence, including targeting email accounts belonging to the campaign staff of the sitting US president, Joe Biden.

Ukrainian agency warns of Russian Starlink-hacking attempts.
Ukraine’s counter-intelligence agency SBU has claimed that the Russian military intelligence agency’s (GRU) hackers are attempting to deploy malware against the Starlink satellite communications system with a view to collecting data on Ukrainian troop movements. Ukrainian experts discovered malicious software on Ukrainian tablet devices that were captured by the Russians before later being recovered from the battlefield. According to the agency, there were different types of information-stealing software found on the tablets, with at least one of them bearing the hallmarks of the Sandworm hacker gang. The group has supposedly used custom malware. If successful, this attack was supposed to be able to yield extremely useful operational intelligence for Russian battlefield commanders.

China accuses US of hacking the Wuhan seismic laboratory
China’s Ministry of State Security has accused the United States of a cyberattack, in which the US was supposed to target the Wuhan Earthquake Monitoring Center. The Global Times, a news service operated directly by the Chinese Communist Party, has accused US intelligence agencies of stealing Chinese comprehensive earth system science remote-sensing and telemetry data, which, according to researchers, could be useful in serving as a source usable in deciphering data about potential nuclear testing. China’s announcement has also served to a degree as a pushback in the information sphere, countering US accusations of Chinese cyber espionage and the insertion of potentially disruptive malware in critical infrastructure.

New targets of Chinese cyber espionage uncovered
The earlier reported compromise of the Microsoft Cloud by Chinese hackers has recently been updated with newly published targets, including at least one member of the US Congress, Representative Don Bacon, who is a vocal supporter of Taiwan and who serves on the House Armed Services Committee. The Congressman’s email address has reportedly been compromised in the attack, according to a statement offered by the official.

The attack itself is deemed to be the work of a threat group known as Storm-0558, which was forging Azure Active Directory tokens, using an acquired Microsoft account (MSA) consumer signing key. Storm-0558 is running espionage operations that target persons with ties to Taiwan and Uyghur geopolitical interests as well as US and European diplomatic, economic, and legislative controlling entities.

Rise in Malware/Ransomware and Phishing

Meaf Machines is Impacted by LockBit 3.0 Ransomware

  • Attack Type: Ransomware
  • Target Industry: Manufacturing
  • Target Geography: Netherlands
  • Ransomware: LockBit 3.0 Ransomware
  • Objective: Data Theft, Data Encryption, Financial Gains
  • Business Impact: Financial Loss, Data Loss, Reputational Damage

Summary:
From the External Threat Landscape Management (ETLM) Perspective, CYFIRMA observed in the dark forum that a company from the Netherlands, (www[.]meaf[.]com), was compromised by LockBit 3.0 Ransomware. Meaf Machines designs develops and builds extrusion machines for the global packaging and plastics processing industry. The company is a ‘one-stop-shop’ for extruders and thermoforming machines for a wide range of polymers and applications. Currently, the compromised data has not yet been made available on the leak site, indicating the potential existence of ongoing discussions between the victim and the ransomware group. It is feasible that the compromised data encompasses information that is both sensitive and confidential.

The following screenshot was observed published on the dark web:

Source: Dark Web

Insights:
In 2023, the LockBit 3.0 ransomware emerged as a worldwide menace, penetrating various private and governmental entities across the globe. Significantly, the United States of America has suffered the most, as around 70% of the targeted organizations within the country have been affected.

Vulnerabilities and Exploits

Vulnerability in ESET Smart Security

  • Attack Type: Vulnerabilities & Exploits
  • Target Technology: Antivirus and Spyware Software
  • Vulnerability: CVE-2023-3160 (CVSS Base Score 7.8)
  • Vulnerability Type: Privilege Escalation

Summary:
The vulnerability potentially allows an attacker to misuse ESET’s file operations during a module update to delete or move files without having proper permissions to do so.

Insights:
The vulnerability allows a user logged on to the system to perform a privilege escalation attack, misusing the ESET GUI to plant malicious files required for the attack into specific folders and later misusing file operations performed by ESET’s updater component to possibly delete or move any arbitrary file.

Impact:
ESET Smart Security could allow a local authenticated attacker to gain elevated privileges on the system, caused by a flaw in the ekrn service.
Affected Products: https[:]//support[.]eset[.]com/en/ca8466-eset-customer-advisory-local-privilege-escalation-vulnerability-fixed-in-eset-security-products-for-windows

Latest Cyber-Attacks, Incidents, and Breaches

Hacktivists target the Japanese government, following the release of Fukushima wastewater

  • Threat Actors: EUTNAIOA
  • Attack Type: DDoS
  • Objective: Operational Disruption
  • Target Geographies: Japan
  • Target Industries: Government and Energy
  • Business Impact: Operational Disruption

Summary:
Entities operating under the banner of Anonymous, known as EUTNAIOA, have claimed responsibility for cyber protests against the Japanese government. Their actions are in response to the government’s involvement in the release of wastewater from the Fukushima Daini Nuclear Power Plant. In an operation called “Tango Down,” Anonymous Italia Collective reportedly attacked 21 websites associated with the Fukushima facility. The targeted organizations include Japan’s Ministry of the Environment, the Atomic Power Company, the Nuclear Regulation Authority, and more. The attacks were confirmed through screenshots and monitoring tool links. These actions were prompted by the International Atomic Energy Agency’s decision to permit the release of treated Fukushima wastewater. The water contains radioactive elements due to the cooling process of the reactor, even though the plant’s management claims that advanced processing systems remove most radionuclides. EUTNAIOA questions the safety of this decision and accuses the government of manipulating social media using AI and offering bribes to downplay radiation levels, allegations both denied by the Japanese government and IAEA.

Insights:
As per the hacktivists, the Japanese government, and Tokyo Electric Power Company (TEPCO) arrived at the choice to discharge radioactive waters into the ocean “without sufficiently engaging local communities and conducting a proper international public discourse,” as claimed by the group. The group does acknowledge that the government and TEPCO relied on the guidance of global scientists when making their decision. Nevertheless, they have also contended that there isn’t a unanimous consensus within academia about the safety of the proposed plan.

Data Leaks

Job Plus’s Data Advertised in Leak Site

  • Attack Type: Data Leaks
  • Target Industry: Business Services
  • Target Geography: Saudi Arabia
  • Target Technology: SQL Database
  • Objective: Data Theft, Financial Gains
  • Business Impact: Data Loss, Reputational Damage

Summary:
CYFIRMA Research team observed a potential data leak related to Job Plus, {www[.]jobplus[.]biz Job Plus is a company that operates in the Staffing and Recruiting industry. The company is headquartered in Saudi Arabia. The data that has been compromised includes User IDs, names, email addresses, passwords, system admin status, mobile numbers, company manager IDs, gender, birth dates, and other confidential information, all formatted in SQL.

Source: Underground forums

Insights:
Constantly seeking financial gains, opportunistic cybercriminals remain vigilant for accessible and weak systems and applications. Most of these attackers participate in clandestine discussions within underground forums, where they engage in the purchase and sale of stolen digital assets. In contrast to financially motivated groups like ransomware or extortion syndicates, who often publicize their attacks, these culprits prefer discreet operations. They exploit unpatched systems or vulnerabilities in applications to infiltrate and exfiltrate valuable data. Subsequently, this stolen data is promoted for sale on underground platforms, finding its way to new owners and being repurposed in subsequent attacks by other perpetrators.

Other Observations

CYFIRMA Research team observed a potential data leak related to Sprongo, {www[.]sprongo[.]com}. Sprongo is the premium video service among skiers. The data breach encompasses User ID, email, first name, last name, photo ID, cover photo ID, external link, sport, password, registration time, and additional sensitive information presented in SQL format.

Source: Underground forums

STRATEGIC RECOMMENDATION

  • Attack Surface Management should be adopted by organizations, ensuring that a continuous closed-loop process is created between attack surface monitoring and security testing.
  • Deploy a unified threat management strategy – including malware detection, deep learning neural networks, and anti-exploit technology – combined with vulnerability and risk mitigation processes.
  • Incorporate Digital Risk Protection (DRP) in the overall security posture that acts as a proactive defence against external threats targeting unsuspecting customers.
  • Implement a holistic security strategy that includes controls for attack surface reduction, effective patch management, active network monitoring, through next generation security solutions and ready to go incident response plan.
  • Create risk-based vulnerability management with deep knowledge about each asset. Assign a triaged risk score based on the type of vulnerability and criticality of the asset to help ensure that the most severe and dangerous vulnerabilities are dealt with first.

MANAGEMENT RECOMMENDATION

  • Take advantage of global Cyber Intelligence providing valuable insights on threat actor activity, detection, and mitigation techniques.
  • Proactively monitor the effectiveness of risk-based information security strategy, the security controls applied and the proper implementation of security technologies, followed by corrective actions remediations, and lessons learned.
  • Move beyond the traditional model of security awareness towards improved simulation and training exercises that mimic real attack scenarios, account for behaviours that lead to a compromised, and are measured against real attacks the organization receives.
  • Consider implementing Network Traffic Analysis (NTA) and Network Detection and Response (NDR) security systems to compensate for the shortcoming of EDR and SIEM solutions.
  • Detection processes are tested to ensure awareness of anomalous events. Timely communication of anomalies and continuously evolved to keep up with refined ransomware threats.

TACTICAL RECOMMENDATION

  • Patch software/applications as soon as updates are available. Where feasible, automated remediation should be deployed since vulnerabilities are one of the top attack vectors.
  • Consider using security automation to speed up threat detection, improve incident response, increase the visibility of security metrics, and rapid execution of security checklists.
  • Build and undertake safeguarding measures by monitoring/ blocking the IOCs and strengthen defences based on tactical intelligence provided.
  • Deploy detection technologies that are behavioural anomaly-based to detect ransomware attacks and help to take appropriate measures.
  • Implement a combination of security control such as reCAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart), Device fingerprinting, IP backlisting, Rate-limiting, and Account lockout to thwart automated brute-force attacks.
  • Ensure email and web content filtering uses real-time blocklists, reputation services, and other similar mechanisms to avoid accepting content from known and potentially malicious sources.