Weekly Intelligence Report – 21 July 2023

Published On : 2023-07-21
Share :
Weekly Intelligence Report – 21 July 2023

Ransomware of the Week

CYFIRMA Research and Advisory Team would like to highlight ransomware trends and insights gathered while monitoring various forums. This includes multiple – industries, geography, and technology – which could be relevant to your organization.

Type: Ransomware,
Target Technologies: MS Windows, Linux, and VMware ESXi servers.
Target Geography: Belgium, Colombia, France, Italy, Jordan, Lebanon, Mauritius, Netherlands, United States, United Kingdom.
Target Industry: Engineering, Education, Freight & Logistics Services, Health Care, Hospitality Manufacturing.

CYFIRMA Research and Advisory Team has found a new NoEscape ransomware while monitoring various underground forums as part of our Threat Discovery Process.

From the onset of its operation, the ransomware has targeted various industries, recent victims include:

  • Hospitality industry in France
  • Manufacturing industry in Italy

This ransomware targets the widely used Windows Operating System, Linux, and VMware ESXi servers, which are prevalent across numerous industries and organizations.

NoEscape ransomware functions as a Ransomware-as-a-Service (RaaS) platform, allowing other criminals to utilize it as affiliates or customers. The ransomware is written in C++, and around June 2023, used Chacha20 and RSA encryption algorithms.

It is speculated that the ransomware operation is a rebranding of Avaddon, a notorious ransomware gang that ceased its activities and publicly disclosed its decryption keys in 2021.

NoEscape ransomware and Avaddon’s ransomware share a nearly identical encryptor with only one significant change in encryption algorithms. While Avaddon used AES for file encryption, NoEscape has switched to the Salsa20 algorithm. The encryptors have similar encryption logic and file formats, including a distinct method called “chunking of the RSA encrypted blobs.”

There is a possibility that the NoEscape threat actors may have acquired the encryptor’s source code from Avaddon, as researchers believe that some key members of Avaddon are now involved in the new ransomware operation.

Upon execution, NoEscape ransomware is designed to delete Windows Shadow Volume Copies and local Windows backup catalogs. Additionally, it attempts to disable Windows’ automatic repair functionality.

The encryptor will then begin to terminate the following processes, including those associated with security software, backup applications, and web and database servers.

  • 360doctor, 360se, Culture, Defwatch, GDscan, MsDtSrvr, QBCFMonitorService, QBDBMgr, QBIDPService, QBW32, RAgui, RTVscan, agntsvc, agntsvcencsvc, agntsvcisqlplussvc, anvir, anvir64, apache, axlbridge, backup, ccleaner, ccleaner64, dbeng50, dbsnmp, encsvc, excel, far, fdhost, fdlauncher, httpd, infopath, isqlplussvc, java, kingdee, msaccess, msftesql, mspub, mydesktopqos, mydesktopservice, mysqld- nt, mysqld-opt, mysqld, ncsvc, ocautoupds, ocomm, ocssd, onedrive, onenote, oracle, outlook, powerpoint, procexp, qbupdate, sqbcoreservice, SQL, sqlagent, sqlbrowser, sqlmangr, sqlserver, sqlservr, sqlwriter, steam, supervise, synctime, taskkill, tasklist, tbirdconfig, thebat, thunderbird, tomcat, tomcat6, u8, ufida, visio, wdswfsafe, winword, wordpad, wuauclt, wxServer, wxServerView, and xfssvccon.

It will also stop the following Windows services associated with databases, QuickBooks, security software, and virtual machine platforms.

  • Culserver, DefWatch, GxBlr, GxCIMgr, GxCVD, GxFWD, GxVss, QBCFMonitorService, QBIDPService, RTVscan, SavRoam, VMAuthdService, VMUSBArbService, VMnetDHCP, VMwareHostd, backup, ccEvtMgr, ccSetMgr, dbeng8, dbsrv12, memtas, mepocs, msexchange, msmdsrv, sophos, sql, sqladhlp, sqlagent, sqlbrowser, sqlservr, sqlwriter, svc$, tomcat6, veeam, vmware-converter, vmware-usbarbitator64, vss.

By terminating these applications, the ransomware aims to unlock files that might be currently open and prevented from being encrypted. This allows the ransomware to have unrestricted access to all targeted files for encryption.

In cases where files are locked and inaccessible, the NoEscape encryptor employs the Windows Restart Manager API to forcefully close processes or terminate Windows services that might be keeping a file open and obstructing encryption. This mechanism ensures that all targeted files can be encrypted without any hindrance.

During the file encryption process, the ransomware skips all files that have the following file extensions.

  • exe, bat, bin, cmd, com, cpl, dat, dll, drv, hta, ini, lnk, lock, log, mod, msc, msi, msp, pif, prf, rdp, scr, shs, swp, sys, theme.

It will also skip files in folders whose names contain the following strings:

  • $recycle.bin, $windows.~bt, $windows.~ws, %PROGRAMFILES(x86)%, %PUBLIC%, %ProgramData%, %SYSTEMDRIVE%\\Program Files, %SYSTEMDRIVE%\\Users\\All Users, %SYSTEMDRIVE%\\Windows, %TMP%, %USERPROFILE%\\AppData, AppData, %AppData%, EFI, Intel, MSOCache, Mozilla, Program Files, ProgramData, Tor Browser, Windows, WINDOWS, boot, google, perflogs, system volume information, windows.old

During encryption, researchers found that ransomware could be configured to use three modes:

  • Full – the entire file is encrypted
  • Partial – Only the first X megabytes are encrypted.
  • Chunked – Uses intermittent encryption to encrypt chunks of data.

NoEscape ransomware offers a configuration option that allows the encryptor to fully encrypt files with extensions such as accdb, edb, mdb, mdf, mds, ndf, and sql. The encryption process involves utilizing the Salsa20 algorithm, with the encryption key itself encrypted using an included RSA private key.

Encrypted files undergo a modification in their filenames, with a distinct 10-character extension appended to indicate encryption. This extension varies for each victim, ensuring uniqueness in file identification.

To maintain persistence on the compromised device and ensure automatic execution upon Windows login, the NoEscape encryptor creates a scheduled task named ‘SystemUpdate’. This task is configured to launch the encryptor, enabling it to continue its malicious activities in subsequent sessions.

For enterprise victims utilizing VMware ESXi, NoEscape offers a shell script specifically designed to restore the original /etc/motd file and facilitate the decryption process using the Linux decryptor.

The ransom demands associated with NoEscape ransomware range from hundreds of thousands of dollars to exceeding $10 million.

NoEscape strictly prohibits its members from targeting CIS (ex-Soviet Union) countries. If victims from those countries are affected, they receive free decryptors along with detailed information about the breach methods used against them.

Screenshot of files encrypted by NoEscape Ransomware. (Source: Surface Web)

The ransomware will also change the Windows wallpaper to an image telling victims they can find instructions in the ransom notes named HOW_TO_RECOVER_FILES.txt.

Screenshot of NoEscape’s desktop wallpaper. (Source: Surface Web)

On Linux systems, the NoEscape ransomware replaces the /etc/motd (Message of the Day) file with the ransom note. Consequently, when victims log in to their Linux-based devices, they are greeted with the ransom note displayed in place of the typical message.

Screenshot of Ransomnote of NoEscape Ransomware. (Source: Surface Web)

Countries Targeted by NoEscape Ransomware


  • Detect-Debug-Environment: Debugging environments are used by developers to analyze and troubleshoot software. Ransomware that can detect debug environments may have implemented techniques to evade or disable debugging tools.
  • Calls to WMI: The ransomware is making calls to the Windows Management Instrumentation (WMI) framework. WMI is a powerful tool used by many legitimate applications and services, but it can also be exploited by malware to evade detection and gain access to sensitive information.
  • Long sleep periods: The malware performs long sleep during execution, indicating that it may be designed to avoid detection or delay its actions on the compromised system.
  • USB Bus Checks: The ransomware is actively monitoring and checking the USB bus for connected devices. This behaviour suggests that the ransomware may be attempting to propagate itself by spreading through removable media, such as USB drives. It could be searching for specific files or vulnerabilities on connected devices to further spread its malicious payload.
  • User Input Checks: The ransomware is also performing checks on user input. This behaviour implies that the ransomware may have the ability to interact with the user or receive commands in some way. It could be looking for specific inputs or triggers to initiate its encryption process or carry out other malicious activities.
  • Execution of Dropped Files: The ransomware is executing dropped files on the infected system. This behaviour suggests that the ransomware is employing a multi-stage infection process. It may initially drop a benign-looking file or downloader onto the system, which then downloads and executes the main ransomware payload.
  • The collaboration request from NoEscape Ransomware and the emergence of “Br0k3r” IAB on the same forum suggest a potential alliance between ransomware operators and suppliers of compromised access.

Following are the TTPs based on MITRE Attack Framework.

Sr. No Tactics Techniques / Sub-Techniques
1 TA0001: Initial Access T1091: Replication Through Removable Media
2 TA0002: Execution T1047: Windows Management Instrumentation
T1053: Scheduled Task/Job
T1053.005: Scheduled Task/Job: Scheduled Task
T1059: Command and Scripting Interpreter
T1106: Native API
T1129: Shared Modules
T1053: Scheduled Task/Job
T1053.005: Scheduled Task/Job: Scheduled
T1543.003: Create or Modify System
Process: Windows Service
T1574.002: Hijack Execution Flow: DLL Side-
TA0004: Privilege Escalation
T1053: Scheduled Task/Job
T1053.005: Scheduled Task/Job: Scheduled
T1134: Access Token Manipulation
T1543.003: Create or Modify System
Process: Windows Service
T1574.002: Hijack Execution Flow: DLL Side-
5 TA0005: Defense Evasion T1027: Obfuscated Files or Information
T1027.009: Obfuscated Files or Information: Embedded Payloads
T1036: Masquerading
T1070.004: Indicator Removal: File Deletion
T1112: Modify Registry
T1140: Deobfuscate/Decode Files or
T1497: Virtualization/Sandbox Evasion
T1497.001: Virtualization/Sandbox Evasion:
System Checks
T1562.001: Impair Defenses: Disable or
Modify Tools
T1564.003: Hide Artifacts: Hidden Window
T1574.002: Hijack Execution Flow: DLL Side-Loading
6 TA0006: Credential Access T1056: Input Capture
7 TA0007: Discovery T1007: System Service Discovery
T1012: Query Registry
T1016: System Network Configuration Discovery
T1049: System Network Connections Discovery
T1057: Process Discovery
T1082: System Information Discovery
T1083: File and Directory Discovery
T1120: Peripheral Device Discovery
T1135: Network Share Discovery
T1497: Virtualization/Sandbox Evasion
T1497.001: Virtualization/Sandbox Evasion: System Checks
T1518.001: Software Discovery: Security Software Discovery
T1614: System Location Discovery
T1614.001: System Location Discovery: System Language Discovery
8 TA0008: Lateral Movement T1091: Replication Through Removable Media
9 TA0009: Collection T1056: Input Capture
10 TA0011: Command
and Control
T1105: Ingress Tool Transfer
11 TA0040: Impact T1486: Data Encrypted for Impact
T1489: Service Stop
T1490: Inhibit System Recovery
T1529: System Shutdown/Reboot

Indicators of Compromise

Kindly refer to the IOCs section to exercise controls on your security systems.

title: Change PowerShell Policies to an Insecure Level – PowerShell tags:
  – attack.execution
  – attack.t1059.001
  product: windows
  category: ps_script
  definition: ‘Requirements: Script Block Logging must be enabled’
    ScriptBlockText|contains: ‘Set-ExecutionPolicy’
    – ‘Unrestricted’
    – ‘bypass’
    – ‘RemoteSigned’
  # – ParentImage: ‘C:\ProgramData\chocolatey\choco.exe’ Powershell event id 4104 do not have ParentImage
    – “(New-Object System.Net.WebClient).DownloadString(‘https://community.chocolatey.org/install.ps1’)”
    – “(New-Object System.Net.WebClient).DownloadString(‘https://chocolatey.org/install.ps1’)”
    – ‘\AppData\Roaming\Code\’
  condition: cmdlet and option and not filter
  – Administrator script
level: medium
(Source: Surface Web)


  • Implement competent security protocols and encryption, authentication, or access credentials configurations to access critical systems in your cloud and local environments.
  • Ensure that backups of critical systems are maintained which can be used to restore data in case a need arises.


  • A data breach prevention plan must be developed considering, (a) the type of data being managed by the company; (b) the remediation process; (c) where and how the data is stored; (d) if there is an obligation to notify the local authority.
  • Enable zero-trust architecture and multifactor authentication (MFA) to mitigate the compromise of credentials.
  • Foster a culture of cybersecurity, where you encourage and invest in employee training so that security is an integral part of your organization.


  • Update all applications/software regularly with the latest versions and security patches alike.
  • Add the Sigma rules for threat detection and monitoring which will help to detect anomalies in log events, identify and monitor suspicious activities.

Trending Malware of the Week

Type: Remote Access Trojan (RAT)
Objective: Espionage, Digital Advertising Fraud & Password spraying Target Technology: Routers
Active Malware of the Week
This week “AVrecon” is trending.

Researchers have uncovered a sophisticated, multi-year cyber campaign that targets small-office/home-office (SOHO) routers worldwide. The campaign involves infecting routers with a Linux-based Remote Access Trojan (RAT) known as “AVrecon.” This malware has remained undetected for over two years, with a single instance of highlight in May 2021.

Additionally, they uncovered a massive botnet attacking SOHO routers, making it one of the largest in recent history. The attackers collect information about the victim’s router, transmit it to an embedded C2 domain, and then connect the infected system to a set of second-stage C2 servers. Using commercial telemetry analysis, the researchers identified 15 distinct second-stage C2s. By analysing the information connected to their x.509 certificates, they concluded that some of these second-stage C2s have been operational since at least October 2021. During a 28-day investigation, over 70,000 distinct IP addresses communicated with these servers, and 41,000 nodes were persistently infected, interacting with the second-stage servers for at least two days within the 28-day period.

Attack Method
The research analysis on AVrecon revealed that it was written in C and designed to target ARM-embedded devices, providing portability across different architectures. Once deployed on an infected system, AVrecon performs three main actions:

  • It checks to see if other instances of malware are already running on the system.
  • It gathers host-based information.
  • It builds the parameters of the C2 channel.

Checking for other instances
The malware, AVrecon, follows a specific sequence of actions during its installation process on the host machine. First, it checks for existing instances of itself by searching for processes on port 48102 and creates a listener on that port. If successful, it records the process ID in the file “jid.pid” in the tmp directory. If there’s already a service on port 48102, it terminates any processes that don’t match the current ID and then kills any process bound to the port. The malware does not use any other ports during installation. If all previous attempts fail, AVrecon is programmed to delete itself entirely from the host machine.

Gathering host-based information
AVrecon gathers host-based information from the infected machine, such as kernel details (uname), CPU information, memory usage, the bin path of its location, and the hostname. Once it obtains this data, the malware utilizes pre-built functions to create a remote shell for executing commands, downloading additional binaries, and setting up a proxy. The complete list of actions performed by AVrecon is organized and identified by command numbers. The following screenshot shows the command numbers and their functionality.

Fig: Command numbers and their functionality

Building C2 parameters
Once AVrecon gains freedom of movement on the infected system, it starts building the parameters for its C2 (command and control) communications. The malware is equipped with an embedded C2 configuration, but it checks if any prior C2 configurations already exist on the infected host. If none are found, it uses the C2 parameters provided in the malware’s configuration.

To check for existing C2 configurations, AVrecon searches for legitimate files named “nvram” or “xmldbc” in the “bin” and “sbin” directories. It then looks for specific variables (memasik, domik, urlik, and portik) previously set by the malware within these files. If any of these programs are found with the respective variables, the malware extracts the encrypted C2 components, which include session cookies from previous sessions, domain, URL, and port information. If any of the four variables are not found, AVrecon attempts to read and decrypt the configuration from the file “/tmp/dnssmasq.pid.” If this fails as well, it decrypts the hardcoded domain, URL, and port information from the embedded C2 configuration.

Observed Activity
The research analysis shows that the threat actor employed the infected machines for two main purposes: clicking on Facebook and Google ads, likely for advertising fraud, and interacting with Microsoft Outlook, possibly for password spraying and data exfiltration.

Cybercriminals are able to bypass certain standard network-based detection tools, especially those relying on geolocation, autonomous system-based blocking, or IP address-based rate limiting, due to the use of a global network of compromised SOHO routers. This network grants them increased anonymity and enables them to carry out their malicious activities with reduced detection risks.

Global Telemetry Analysis
Bot Analysis – The researchers analysed second-stage IP addresses associated with AVrecon and looked for connections over specific ports (e.g., 80, 8000, 5178). They identified around 70,000 unique IP addresses that made connections to 15 servers. Upon further examination, they found that more than 45,000 IPs only communicated with one of the C2s for one to two days, suggesting that these devices might have been infected and then either fixed or abandoned. Devices communicating with the C2s for more than two days were considered persistent, resulting in a botnet size of about 41,100 devices. The average lifespan of a bot in this network was approximately seven days, indicating a substantial botnet where any device could be used for malicious activities at any time.

Command and Control Analysis – During the analysis, the researchers observed traffic patterns from the bot level and examined telemetry associated with a core set of 15 second-stage servers. Out of these, 12 servers communicated with a higher-tier server located at IP address 51.15.19[.]245 for 30 consecutive days. The use of a tiered architecture in the backend is a common tactic seen in other well-known botnets like Emotet and Qakbot.

A notable finding was when the researchers scanned the higher-tier IP address on ports 25 and 465, they discovered the domain zerophone[.]cc. This domain was previously mentioned in a historical analysis of AVrecon from 2021. The domain had a sample associated with it that was compiled for multiple router architectures (ARM, MIPS, and MIPSEL), indicating that the threat actor was targeting various SOHO router architectures prevalent in the market.


  • The attack method primarily focuses on stealing bandwidth without causing noticeable disruptions to end-users. The purpose is to create a residential proxy service that can be used for illegal activities while avoiding detection from Tor-hidden services or commercial VPN services. This type of cybercrime is less likely to be noticed by the affected users and is less likely to generate a high volume of abuse complaints compared to other forms of cyber threats like crypto-mining or DDoS-based botnets.
  • Malware creators demonstrate adaptability, constantly evolving their techniques to overcome security measures and exploit vulnerabilities. Like determined individuals, malware, particularly RATs, persistently strive to maintain control over infected systems, pushing forward to achieve their objectives despite obstacles. The cybersecurity landscape resembles a cat-and-mouse game, where security measures progress alongside malware advancements, resulting in a continuous cycle of innovation and countermeasures.

Indicators of Compromise
Kindly refer to the IOCs Section to exercise controls on your security systems.


  • Establish a robust security posture that is thoughtfully layered with a series of security mechanisms and controls in the network to protect the confidentiality, integrity, and availability of critical data.
  • Deploy an Extended Detection and Response (XDR) solution as part of the organization’s layered security strategy that provides detection/prevention for malware and malicious activities that do not rely on signature-based detection methods.
  • Configure organization’s intrusion detection systems (IDS), intrusion prevention systems (IPS), or any network defence mechanisms in place to alert on — and upon review, consider blocking connection attempts to and from — the external IP addresses and domains.


  • Secure your organization’s internet-facing assets with robust security protocols and encryption, including authentication or access credentials configuration, to ensure that critical information stored in databases/servers is always safe.
  • Enforce a strong password policy based on industry best practices and baseline that meets password length, complexity, history, change frequency, and other secure password requirements.
  • Place control system networks and remote devices behind firewalls and isolate them from the corporate network.


  • Build and undertake safeguarding measures by monitoring/ blocking the IOCs and strengthening defence based on the tactical intelligence provided.
  • Follow best practices by regularly rebooting routers and installing security updates and patches. Users should leverage properly configured and updated EDR solutions on hosts and regularly update software consistent with vendor patches where applicable.
  • Privileged users account that are used to access and administer various resources must be limited to trusted set of IP addresses.

Weekly Intelligence Trends/Advisory

Weekly Attack Type and Trends

Key Intelligence Signals:

  • Attack Type: Malware Implants, Web Attacks, Ransomware Attacks, Vulnerabilities & Exploits, Data Leaks, DDoS.
  • Objective: Unauthorized Access, Data Theft, Data Encryption, Financial Gains, Espionage.
  • Business Impact: Data Loss, Financial Loss, Reputational Damage, Loss of Intellectual Property, Operational Disruption.
  • Ransomware –Clop Ransomware | Malware – AVrecon
  • Clop Ransomware – One of the ransomware groups.
  • Please refer to the trending malware advisory for details on the following:
  • Malware –AVrecon
  • Behavior –Most of this malware uses phishing and social engineering techniques as its initial attack vector. Apart from these techniques, exploitation of vulnerabilities, defence evasion, and persistence tactics are being observed.

Threat Actor in Focus

Lazarus Group Distributes Malware by Exploiting a Vulnerable IIS Server

  • Threat Actors: Lazarus Group
  • Attack Type: Web Attack
  • Objective: Unknown
  • Target Technology: Windows
  • Target Geographies: Unknown
  • Target Industries: Unknown
  • Business Impact: Data Loss

In a recent observation, it was found that the Lazarus APT group has been actively targeting Microsoft Internet Information Services (IIS) servers to gain unauthorized access and carry out malicious activities. Researchers have confirmed that Lazarus operators are using vulnerable Windows servers as malicious code distribution servers. The group employs techniques such as watering hole attacks, manipulation of domestic websites, and exploitation of INISAFE CrossWeb EX V6 vulnerabilities for malware distribution. Despite patches for the INITECH vulnerability, recent exploits continue to leverage compromised IIS servers for malware distribution. In their attacks on IIS servers, Lazarus targets insecure web servers and attempts lateral movement via Remote Desktop Protocol (RDP). They exploit vulnerable web servers by installing web shells or executing malicious commands through the IIS web server process, w3wp.exe. The attackers use privilege escalation malware, specifically JuicyPotato, to overcome limitations and execute desired malicious actions within the process.

JuicyPotato is used to execute Loader malware, which decrypts and executes encoded data files in memory. The final executed malware is typically a downloader or backdoor. Lazarus also exploits the INISAFE vulnerability to install additional malicious code, such as “SCSKAppLink.dll,” which serves as a download source for the IIS web server.

Lazarus frequently exploits vulnerable IIS servers to distribute malware, indicating a strong preference for this type of attack. It is relatively easy to use IIS-based exploits, without being detected so Lazarus employs this attack method very frequently. Detecting these exploits can be challenging, as they are less common compared to web-shell-based attacks. The backdoors are concealed within legitimate modules within directories, and their code structure often mimics that of clean modules. To defend against IIS-based attacks, network defenders should implement best security practices, including regular updates of security procedures, stringent management of highly privileged accounts, and the utilization of anti-virus software.

Indicators of Compromise
Kindly refer to the IOCs (Indicators of Compromise) Section to exercise controls on your security systems.

Major Geopolitical Developments in Cybersecurity

Reports of Russia’s Troll Factory Demise Found Premature.
The Internet Research Agency’s demise as reported on by mainstream media in recent weeks now seems premature. The agency was founded by Yevgeny Prigozhin, a Russian businessman who made headlines recently after he led a mutiny via his other business – the private military company Wagner – against the Russian Ministry of defense during its war with Ukraine – You can read the full report on the mutiny here – https[:]//www[.]cyfirma[.]com/outofband/who-are-the-wagner-pmcs-of-russia-is-there-a- risk-of-a-cyber-fallout/

The agency, known as The Troll Factory plays an important role in influencing domestic public opinion and vilifying the opposition, as ordered by the Kremlin, such as meddling in elections in countries deemed hostile to Kremlin, undermining social cohesion, and promoting pro-Russian narratives or supplying autocrat support packages, which are a combination of traditional tools of political marketing services with fake social media activity, used to support the power of various autocrats from Africa and Asia or projecting false image of popular support to third country audiences.

It appears that the blackout of Mr. Prigozhin’s own media properties was both temporary and exaggerated. The Internet Research Agency is among those companies of Prigozhin’s media empire that have remained in business, despite earlier reports to the contrary. As predicted by CYFIRMA analysts earlier, the core information operations and psy-op part of the media group was too important for the Kremlin to be shut down. It is yet not clear whether the company remained in operation or is being restructured and resurrected, possibly under the leadership of a different pro-Kremlin oligarch. Analysts mostly speculate about the banker Yuri Kovalchuk, who owns most of the privately operated media in the country and who is one of the closest friends and allies of Vladimir Putin, since his initiation of the Ukraine war. The Kremlin-sponsored information operations on social media, most notably Twitter and facebook seem to be back almost on the pre-mutiny level and are not likely to die down soon.

Chinese State Hackers Targeting British MPs
The British Parliament’s Intelligence and Security Committee (ISC) has recently reported on Chinese cyber espionage activities in the UK. According to the committee, “In relation to the cyber approach, whilst understanding has clearly improved in recent years, China has a highly capable cyber – and increasingly sophisticated cyberespionage – operation: however, this is an area where the ‘known unknowns’ are concerning. Work on continuing coverage of its general capabilities must be maintained, alongside further work on Chinese offensive cyber and close-proximity technical operations.” The 200+ pages report which concludes on an inquiry started in 2019, also found that “China frequently targeted Parliamentarians in their cyber operations” and that given the sophistication of Chinese state-sponsored hackers “the level of resource dedicated to tackling the threat has been completely inadequate.”

The warning about China’s operations being “increasingly sophisticated” was written months ago, but coincidentally published on the same day Microsoft announced a Chinese hacking group had exploited a bug in its cloud email service to spy on more than two dozen organizations and government agencies in the U.S. and Europe.

The committee echoed warnings by security researchers and other Western governmental bodies as well as intelligence experts that China’s large and highly effective cyber espionage capability has had considerable success penetrating foreign government and private sector IT systems to gain intelligence or steal intellectual property. CYFIRMA has recently reported on the Chinese IP theft strategy, You can read the full report here – https[:]//www[.]cyfirma[.]com/outofband/china-ip-theft-report/

Rise in Malware/Ransomware and Phishing

Aspen Technology is Impacted by Cl0p Ransomware

  • Attack Type: Ransomware
  • Target Industry: Information Technology
  • Target Geography: The United States of America
  • Ransomware: Cl0p Ransomware
  • Objective: Data Theft, Data Encryption, Financial Gains
  • Business Impact: Financial Loss, Data Loss, Reputational Damage

From the External Threat Landscape Management (ETLM) Perspective, CYFIRMA observed in the dark forum that a company from the United States of America, (www[.]aspentech[.]com), was compromised by Cl0p Ransomware. Aspen Technology, together with its subsidiaries, provides software & services in the United States, Europe, and worldwide. It operates through two segments, Subscription and Software, and Services. The compromised data might contain sensitive and confidential information concerning the organization, totalling approximately 46 GB in size.

The following screenshot was observed published on the dark web:

Source: Dark Web

Recently, the Cl0p ransomware gang has acknowledged its role in the data-theft incidents involving MOVEit Transfer, where servers belonging to numerous companies were compromised through the exploitation of a zero-day vulnerability. This confirmation aligns with Microsoft’s attribution of these activities to the hacking group known as ‘Lace Tempest,’ also recognized as TA505 and FIN11.

Recently creators of Cl0p ransomware have been observed to have developed a version that specifically targets Linux operating systems. In comparison to the Windows version, this variant differs in several ways. For instance, it does not exempt any particular files or folders (along with their extensions) from encryption. Moreover, it employs the same techniques for reading and writing data, unlike its Windows counterpart, which opts for distinct approaches. Additionally, the ransom note generated by the Linux variant is in plain text, and it does not conduct validation, while creating an RC4 key. The Linux variant is not compatible with command line parameters and utilizes flawed logic for generating an RC4 key.

Vulnerabilities and Exploits Vulnerability in GE Digital CIMPLICITY

  • Attack Type: Vulnerabilities & Exploits
  • Target Technology: SCADA Systems
  • Vulnerability: CVE-2023-3463 (CVSS Base Score 6.6)
  • Vulnerability Type: Heap-based Buffer Overflow

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

GE CIMPLICITY is vulnerable to a heap-based buffer overflow, caused by improper bounds checking. By persuading a victim to open a specially crafted file, a remote attacker could overflow a buffer and execute arbitrary code on the system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable systems.

Affected Products: https[:]//www[.]cisa[.]gov/news-events/ics-advisories/icsa-23-199-06

Latest Cyber-Attacks, Incidents, and Breaches

Anonymous Sudan alleges responsibility for executing a ‘warning’ Distributed Denial of Service (DDoS) cyberattack against PayPal.

  • Threat Actors: Anonymous Sudan
  • Attack Type: DDoS
  • Objective: Operational Disruption
  • Target Technology: Web Application
  • Target Geographies: United Arab Emirates (UAE)
  • Target Industries: Government and Private Organizations
  • Business Impact: Operational Disruption

Recently, the hacktivist collective known as “Anonymous Sudan” asserted that it conducted a preliminary “test attack” targeting PayPal. In a Telegram message attributed to this cybercrime group, a warning was issued, indicating their intention to intensify their assaults on various organizations, including those within the UAE, utilizing their preferred method of Distributed Denial of Service (DDoS) attacks. Subsequent reports reveal that the group has indeed targeted multiple UAE websites, including the government portal and Dubai Electricity

In a brief 30-second test attack on PayPal, the group asserted that it successfully caused the online payment gateway to exhibit an error message, specifically stating “User reports indicate problems at PayPal.” Following this incident, the group shared a post on Telegram, declaring their intention to meet with PayPal again soon, suggesting further confrontations are planned.

Anonymous Sudan asserts collaboration with hacker collectives such as KillNet and Revil to execute more extensive cyberattacks, notably employing DDoS techniques. These hacktivists purport that their endeavors are aimed at combatting anti-Islamic sentiments. However, there are suspicions that they receive support from Russian state-controlled entities. Additionally, they proclaim their intention to utilize PayPal as a means to confront organizations in the United States and the United Arab Emirates

The purported assault on PayPal, assuming it took place, is not the initial occurrence of such an incident. In a previous instance this year, the company alerted 35,000 users about brute force attacks aimed at pilfering login credentials. Furthermore, in December of the preceding year, unauthorized access to the system by a different group resulted in a data breach.

Data Leaks

IndiHome Data Advertised in Leak Site
Attack Type: Data Leak
Target Industry: Media and Telecommunication
Target Geography: Indonesia
Objective: Data Theft, Financial Gains
Business Impact: Data Loss, Reputational Damage

CYFIRMA Research team observed a potential data leak related to IndiHome, {www[.]indihome[.]co.[id]}. IndiHome as a leading fixed broadband service, owned by PT Telkom Indonesia (Persero) provides three main services, Internet, Telephone, and Interactive TV. IndiHome is the market leader for fixed broadband services in Indonesia with more than 8.5 million subscribers. The leaked information consists of IP addresses, genders, first names, national identification numbers (NIK), and email addresses.

Source: Underground forums

There are constantly vigilant cybercriminals driven by financial motives, who actively seek out exposed and vulnerable systems and applications. Most of these attackers operate in clandestine online communities, engaging in discussions and trading stolen digital assets. Unlike ransomware or extortion groups that often publicize their attacks, these attackers prefer to work discreetly. They exploit unpatched systems or vulnerabilities in applications to gain unauthorized access and pilfer valuable data. The stolen information is subsequently advertised, sold, and repurposed by other attackers for their own malicious purposes.

Other Observations

CYFIRMA Research team observed a potential data leak related to Atspace, (www[.]atspace[.]com) Atspace is a web hosting company that provides hosting services for websites. It offers various hosting plans, including free hosting with limited features and premium hosting with more advanced options. The data made available to the public includes a customer database containing names, email addresses, and other sensitive information.

Source: Underground forums


  • Attack Surface Management should be adopted by organizations, ensuring that a continuous closed-loop process is created between attack surface monitoring and security testing.
  • Deploy a unified threat management strategy – including malware detection, deep learning neural networks, and anti-exploit technology – combined with vulnerability and risk mitigation processes.
  • Incorporate Digital Risk Protection (DRP) in the overall security posture that acts as a proactive defence against external threats targeting unsuspecting customers.
  • Implement a holistic security strategy that includes controls for attack surface reduction, effective patch management, active network monitoring, through next generation security solutions and ready to go incident response plan.
  • Create risk-based vulnerability management with deep knowledge about each asset. Assign a triaged risk score based on the type of vulnerability and criticality of the asset to help ensure that the most severe and dangerous vulnerabilities are dealt with first.


  • Take advantage of global Cyber Intelligence providing valuable insights on threat actor activity, detection, and mitigation techniques.
  • Proactively monitor the effectiveness of risk-based information security strategy, the security controls applied and the proper implementation of security technologies, followed by corrective actions remediations, and lessons learned.
  • Move beyond the traditional model of security awareness towards improved simulation and training exercises that mimic real attack scenarios, account for behaviours that lead to a compromised, and are measured against real attacks the organization receives.
  • Consider implementing Network Traffic Analysis (NTA) and Network Detection and Response (NDR) security systems to compensate for the shortcoming of EDR and SIEM solutions.
  • Detection processes are tested to ensure awareness of anomalous events. Timely communication of anomalies and continuously evolved to keep up with refined ransomware threats.


  • Patch software/applications as soon as updates are available. Where feasible, automated remediation should be deployed since vulnerabilities are one of the top attack vectors.
  • Consider using security automation to speed up threat detection, improve incident response, increase the visibility of security metrics, and rapid execution of security checklists.
  • Build and undertake safeguarding measures by monitoring/ blocking the IOCs and strengthen defences based on tactical intelligence provided.
  • Deploy detection technologies that are behavioural anomaly-based to detect ransomware attacks and help to take appropriate measures.
  • Implement a combination of security control such as reCAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart), Device fingerprinting, IP backlisting, Rate-limiting, and Account lockout to thwart automated brute-force attacks.
  • Ensure email and web content filtering uses real-time blocklists, reputation services, and other similar mechanisms to avoid accepting content from known and potentially malicious sources.
This site is registered on wpml.org as a development site. Switch to a production site key to remove this banner.