Weekly Intelligence Report – 23 Dec 2022

Published On : 2022-12-23
Share :
Weekly Intelligence Report – 23 Dec 2022

Weekly Intelligence Trends/Advisory

Key Intelligence Signals:

  • Attack Type: Ransomware, Vulnerabilities & Exploits, Ransomware-as-a-Service (RaaS), Malware Implants, Data Exfiltration, Data Leak, Impersonations, Remote Code Execution (RCE), On-device Fraud, Rouge Mobile Apps, Telephone-Oriented Attack Delivery (TOAD), SMiSing, Malvertising, USB as an Attack Vector
  • Objective: Unauthorized Access, Data Theft, Financial Gains, Payload Delivery, Potential Espionage
  • Business Impact: Data Loss, Financial Loss, Reputational Damage, Loss of Intellectual Property
  • Ransomware – Black Basta Ransomware | Malware – MCCrash
  • Black Basta Ransomware – One of the ransomware groups.
  • Please refer to the trending malware advisory for details on the following:
  • Malware – MCCrash
  • Behavior – Most of these malwares use phishing and social engineering techniques as their initial attack vector. Apart from these techniques, exploitation of vulnerabilities, defence evasion, and persistence tactics are being observed.

Threat Actor in Focus

Islamic Revolutionary Guard Corps (IRGC) Sponsored TA453 Launches Fresh Attacks

  • Suspected Threat Actors: TA453
  • Attack Type: Spear Phishing
  • Objective: Unauthorized Access, Espionage, Data Exfiltration
  • Target Technology: Windows
  • Target Geographies: Israel, Europe, U.S.A
  • Target Industries: Public & Private Sector
  • Business Impact: Data Loss, Operational Disruption

TA453 is active since 2020 and deployed under the IRGC intelligence organization. TA453 has been targeting diplomats, human rights workers, policymakers, journalists, and researchers with expertise in the Middle Eastern region. The group chooses to communicate for weeks with the victim and deliver the malware when they feel the time is right, during the year 2022 out of 60 attacks more than half were initiated with week-long conversations, and few attacks saw the immediate dropping of the malware. The threat actor mostly delivered credential harvesting links to gain access to the inbox for the exfiltration of data from email. Recently, the threat researchers detected a persona named Samantha active since April. The targeting region being the U.S., threat actor-controlled Samantha’s email account reached out to the US-based insurance company for the claim to her damaged car. The attached document with the mail was injected with the remote template injection to download multiple .dotm files from office-updates[.]info. Upon execution of the malware, a PowerShell backdoor called GhostEcho gets executed.


  • Campaigns may rise in upcoming months to fulfill the requirement of the IRGC intelligence agency.
  • They have leveraged compromised accounts and used them to target further.

Major Geopolitical Developments in Cybersecurity

GPS Signal Disruptions Reported in Russia

Some Russian cities are experiencing GPS jamming. Russian electronic warfare capabilities have been disrupting GPS signals during the current war in Ukraine, however, signal interference has not been widely reported deeper on Russian territory in recent days. Multiple major Russian cities appear to have had GPS disruptions recently. The signal interference follows Ukraine launching long-range drone attacks deep into Russian territory, and it may act as a way to potentially stop drones that rely upon GPS for navigation. Jamming bubbles have been reported to cover hundreds if not thousands of kilometers around cities with important operational assets like railway hubs, military plants, and installations or oil storage facilities.

A New Russian Cyber Campaign Hits Ukraine

Researchers have recently spotted a new supply-chain attack in Ukraine, in which Windows 10 installers with embedded Trojans are being distributed to targets in Ukraine. The researchers report there seems to be an overlap between this round of attacks and the victims targeted by Russian military intelligence with wiper malware earlier this year. The deployed malware has anti-detection capabilities, and the campaign seems to be actively targeting the same organizations and the same type of organizations against which the Fancy Bear APT group probably campaigned early in the war.

NSA Warns Against Taking Russian Offensive Cyber Capabilities Lightly

US NSA Cybersecurity Director Rob Joyce warns against complacency concerning Russian cyber operations. During a press briefing on the release of the NSA’s 2022 retrospective, Mr. Joyce warned that he would not encourage anyone to be complacent or be unconcerned about the Russian threats, especially to the energy sector, globally. In that, he expressed a sentiment long held and repeatedly expressed by CYFIRMA researchers, who have also been warning about the Russian threat to the energy sector for the coming months and years. Mr. Joyce then followed “As the war progresses there’s certainly the opportunities for increasing pressure on Russia at the tactical level, which is going to cause them to reevaluate, try different strategies to extricate themselves.”

Rise in Malware/Ransomware and Phishing

The Exchange Bank Impacted by Black Basta Ransomware

  • Attack Type: Ransomware, Data Exfiltration
  • Target Industry: Banking
  • Target Geography: USA
  • Ransomware: Black Basta Ransomware
  • Objective: Financial Gains, Data Theft, Data Encryption
  • Business Impact: Financial Loss, Data Loss, Reputational Damage

From the External Threat Landscape Management (ETLM) Perspective CYFIRMA observed The Exchange Bank – a community bank offering personal and business banking services including mortgages, home loans, lines of credit, and SBA loans – being impacted by the Black Basta ransomware group. The ransomware group claimed The Exchange Bank (www[.]exb-ok[.]com) as one of their victims by disclosing the update on their dedicated leak site. It is suspected that a large amount of clients’ information, financial data, PII, and many other business-critical and sensitive data has been exfiltrated.

The group’s first known attack using the Black Basta ransomware occurred in the second week of April 2022. Like other enterprise-focused ransomware operations, Black Basta employs a double extortion scheme that involves exfiltrating confidential data before encryption to threaten victims with the public release of the stolen data. According to the ransomware message, victims are given seven days to pay else the stolen content will be publicized.

Researchers observed that the Black Basta ransomware group is using QBot as its first entry point to move laterally on compromised networks. QBot, also known as Qakbot, is a Windows malware strain that began as a banking Trojan and progressed to become a malware dropper. Other ransomware groups have used it as well, including MegaCortex, ProLock, DoppelPaymer, and Egregor. While the other ransomware groups used QBot for initial access, the Black Basta group used QBot for both initial access and side-network distribution.

BlackBasta ransomware made significant updates in November 2022, including file encryption algorithms, stack-based string obfuscation, and per-victim file extensions.

Other Observations

On December 14th, the US Department of Justice announced that it had seized 48 domains related to “booters” or “stress testers” for DDoS attacks in collaboration with EUROPOL. Six people have been charged as part of the ‘PowerOFF’ operation.

Source: Darkweb, Telegram

Indian internet service provider data was on sale. Data includes cust_id, mobile number, city, name of the person, and status of the account. Leaked data can be used for scamming and phishing purposes.

Source: Telegram

Interview with Lockbitsupp – The first interview was conducted with Lockbitsupp. Leader of one of the largest cybercrime gangs currently existing. The questions were compiled in an “Ask Me Anything” style, in which a community of people could submit various questions.


  • Attack Surface Management should be adopted by organizations, ensuring that a continuous closed-loop process is created between attack surface monitoring and security testing.
  • Deploy a unified threat management strategy – including malware detection, deep learning neural networks, and anti-exploit technology – combined with vulnerability and risk mitigation processes.
  • Incorporate Digital Risk Protection (DRP) in the overall security posture that acts as a proactive defence against external threats targeting unsuspecting customers.
  • Implement a holistic security strategy that includes controls for attack surface reduction, effective patch management, active network monitoring, through next generation security solutions and ready to go incident response plan.
  • Create risk-based vulnerability management with deep knowledge about each asset. Assign a triaged risk score based on the type of vulnerability and criticality of the asset to help ensure that the most severe and dangerous vulnerabilities are dealt with first.


  • Take advantage of global Cyber Intelligence providing valuable insights on threat actor activity, detection, and mitigation techniques.
  • Proactively monitor effectiveness of risk- based information security strategy, the security controls applied and the proper implementation of security technologies, followed by corrective actions remediations and lessons learned.
  • Move beyond traditional model of security awareness towards improved simulation and training exercises that mimic real attack scenarios, account for behaviours that lead to a compromised and, are measured against real attacks the organization receives.
  • Consider implementing Network Traffic Analysis (NTA) and Network Detection and Response (NDR) security system to compensate the shortcoming of EDR and SIEM solutions.
  • Detection processes are tested to ensure awareness of anomalous events. Timely communication of anomalies and continuously evolved to keep up with refined ransomware threats.


  • Patch software/applications as soon as updates are available. Where feasible, automated remediation should be deployed since vulnerabilities are one of the top attack vectors.
  • Consider using security automation to speed up threat detection, improved incident response, increased visibility of security metrics and rapid execution of security checklists.
  • Build and undertake safeguarding measures by monitoring/ blocking the IOCs and strengthen defences based on tactical intelligence provided.
  • Deploy detection technologies that are behavioural anomaly-based to detect ransomware attacks and help to take appropriate measures.
  • Implement combination of security control such as reCAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart), Device fingerprinting, IP backlisting, Rate-limiting, and Account lockout to thwart automated brute-force attacks.
  • Ensure email and web content filtering uses real-time blocklists, reputation services and other similar mechanism to avoid accepting content from known and potentially malicious sources.
This site is registered on wpml.org as a development site. Switch to a production site key to remove this banner.