Weekly Intelligence Report – 24 Mar 2023

Published On : 2023-03-24
Share :
Weekly Intelligence Report – 24 Mar 2023

Weekly Attack Type and Trends

Key Intelligence Signals:

  • Attack Type: Ransomware Attack, Vulnerabilities & Exploits, Malware Implants, DDoS, Spear Phishing
  • Objective: Unauthorized Access, Data Theft, Financial Gains, Payload Delivery, Potential Espionage
  • Business Impact: Data Loss, Financial Loss, Reputational Damage, Loss of Intellectual Property
  • Ransomware – Play Ransomware | Malware – FakeCalls
  • Play Ransomware – One of the ransomware groups.
  • Please refer to the trending malware advisory for details on the following:
  • Malware – FakeCalls
  • Behavior – Most of this malware uses phishing and social engineering techniques as their initial attack vector. Apart from these techniques, exploitation of vulnerabilities, defence evasion, and persistence tactics are being observed.

Threat Actor in Focus

NOBELIUM Attacks Ukranian Allies in the European Region

  • Suspected Threat Actors: NOBELIUM, aka APT29
  • Attack Type: Spear Phishing
  • Objective: Espionage, Data Theft
  • Target Technology: Windows
  • Target Geographies: Europe
  • Target Industries: Government Organizations
  • ness Impact: Data Theft

NOBELIUM is a Russian state-sponsored Cyber espionage group active and conducting cyber espionage operations since 2008. The threat actor is known by many other names, a few famous names are APT-29, Dukes, and Cozy Bears. The group has conducted cyber strikes globally, and they are operating solely to collect information and intelligence for the Russian government. In recent activity, the threat actor has been seen targeting diplomats and European governments who are Ukraine’s allies. Cybersecurity researchers have detected a new NOBELIUM campaign that utilizes targeted lures focused on individuals who have shown interest in the recent visit of the Ministry of Foreign Affairs of Poland to the U.S. The attackers have exploited the LegisWrite electronic system, which is a legitimate system for official document exchange within the European Union (EU). The campaign partially overlaps with a previous attack campaign that was uncovered by researchers in October 2022. In the observed phishing campaign, the attackers utilized malicious documents in their email lures. Once a victim opened the document, it led to a link that redirected them to download an infected HTML file. Further analysis suggests that the threat actor may have compromised a legitimate online library website based in EL Salvador in Central America to host the malicious HTML file and deliver additional malicious payloads. The HTML file was found to be using the ROOTSAW (aka Envyscout) dropper, which is commonly used to drop IMG or ISO files. In this instance, the HTML file dropped an ISO file that contained malicious .LNK and .DLL files.

The cyber threat group NOBELIUM has been observed actively collecting intelligence on countries that are supporting Ukraine in the Russian-Ukrainian conflict. The use of lures related to the recent visit of Poland’s Ambassador to the United States in the attack campaign indicates that the attackers are closely monitoring geopolitical events and leveraging them to increase the chances of successful infection. This underscores the threat actor’s sophistication and highlights the need for vigilance in protecting against their tactics.

In the observed campaign malicious documents were weaponized by Envyscout dropper which needs a long chain of victim’s engagement to successfully compromise. The threat actor is still using it for quite some time which hints that the threat actor can compromise using old techniques.

Rise in Malware/Ransomware and Phishing

The Play Ransomware has impacted the A&T group of companies in Poland.

  • Attack Type: Ransomware
  • Target Industry: Manufacturing
  • Target Geography: Poland
  • Ransomware: Play Ransomware
  • Objective: Data Theft, Data Encryption, Financial Gains
  • Business Impact: Financial Loss, Data Loss, Reputational Damage

From the External Threat Landscape Management (ETLM) Perspective, CYFIRMA observed from the dark forum that the A&T group of companies from Poland. (www[.]atglobalsolutions[.]eu)- The company had initially established itself in the Polish market and subsequently expanded its operations to include China, India, Thailand, Hong Kong, Taiwan, Malaysia, Lithuania, Germany, Luxembourg, the Netherlands, the United Kingdom, and Morocco. The ransomware group leaked A&T group of companies’ data on their dedicated leak site on 17th March 2023. According to Play Ransomware, the leaked data includes confidential private and personal information such as passports, contracts, and other sensitive materials.

PLAY Ransomware has been active since at least mid-June 2022. The Ransomware encrypts files using the standard RSA-AES hybrid cryptosystem. Additionally, the ransomware executable has been heavily obscured using a variety of anti-analysis techniques that are uncommon in malware families. PLAY Ransomware uses double extortion against its victims.

To gain initial access to a company’s network, the PLAY Ransomware group makes use of a known valid account, exposed RDP servers, and unpatched Fortinet SSL VPN vulnerabilities. The PLAY employs living-off-the-land binaries (LOLBins) as part of its attacks, like the majority of contemporary ransomware. It employs Task Manager for Local Security Authority Server Service (LSASS) process dumping and credential cracking, as well as the remote tool WinSCP for data exfiltration.

Based on the victims’ list, PLAY ransomware is targeting predominately government and critical infrastructure organizations.

We observed that Play ransomware is targeting Microsoft Exchange servers in its operations through critical vulnerabilities (CVE-2022-41080 – CVSS 8.8 and CVE-2022-41082 – CVSS 8.8) which can lead to remote code execution and remote privilege escalation on the servers.

Other Observations

CYFIRMA Research team observed the sale of enterprise admin and database credentials of TOYOTA BRAZIL in the underground forums.

Source: Underground Forums


  • Attack Surface Management should be adopted by organizations, ensuring that a continuous closed-loop process is created between attack surface monitoring and security testing.
  • Deploy a unified threat management strategy – including malware detection, deep learning neural networks, and anti-exploit technology – combined with vulnerability and risk mitigation processes.
  • Incorporate Digital Risk Protection (DRP) in the overall security posture that acts as a proactive defence against external threats targeting unsuspecting customers.
  • Implement a holistic security strategy that includes controls for attack surface reduction, effective patch management, active network monitoring, through next generation security solutions and ready to go incident response plan.
  • Create risk-based vulnerability management with deep knowledge about each asset. Assign a triaged risk score based on the type of vulnerability and criticality of the asset to help ensure that the most severe and dangerous vulnerabilities are dealt with first.


  • Take advantage of global Cyber Intelligence providing valuable insights on threat actor activity, detection, and mitigation techniques.
  • Proactively monitor the effectiveness of risk-based information security strategy, the security controls applied and the proper implementation of security technologies, followed by corrective actions remediations, and lessons learned.
  • Move beyond the traditional model of security awareness towards improved simulation and training exercises that mimic real attack scenarios, account for behaviours that lead to a compromised and are measured against real attacks the organization receives.
  • Consider implementing Network Traffic Analysis (NTA) and Network Detection and Response (NDR) security systems to compensate for the shortcoming of EDR and SIEM solutions.
  • Detection processes are tested to ensure awareness of anomalous events. Timely communication of anomalies and continuously evolved to keep up with refined ransomware threats.


  • Patch software/applications as soon as updates are available. Where feasible, automated remediation should be deployed since vulnerabilities are one of the top attack vectors.
  • Consider using security automation to speed up threat detection, improved incident response, increased the visibility of security metrics, and rapid execution of security checklists.
  • Build and undertake safeguarding measures by monitoring/ blocking the IOCs and strengthen defences based on tactical intelligence provided.
  • Deploy detection technologies that are behavioural anomaly-based to detect ransomware attacks and help to take appropriate measures.
  • Implement a combination of security control such as reCAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart), Device fingerprinting, IP backlisting, Rate-limiting, and Account lockout to thwart automated brute-force attacks.
  • Ensure email and web content filtering uses real-time blocklists, reputation services, and other similar mechanisms to avoid accepting content from known and potentially malicious sources.
This site is registered on wpml.org as a development site. Switch to a production site key to remove this banner.