Weekly Intelligence Report – 28 July 2023

Published On : 2023-07-28
Share :
Weekly Intelligence Report – 28 July 2023

Ransomware of the Week

Ransomware of the Week
CYFIRMA Research and Advisory Team would like to highlight ransomware trends and insights gathered while monitoring various forums. This includes multiple – industries, geography, and technology – which could be relevant to your organization.

Type: Ransomware,
Target Technologies: MS Windows.

CYFIRMA Research and Advisory Team has found a new SophosEncrypt ransomware while monitoring various underground forums as part of our Threat Discovery Process.

The Ransomware primarily focuses on the widely used Windows Operating System, which is extensively utilized across various industries and organizations.

SophosEncrypt is a recent entrant in the ransomware arena, available through the ransomware-as-a-service (RaaS) business model. It has already been employed in malicious attacks by threat actors.

The ransomware encryptor is written in Rust and uses the ‘C:\Users\Dubinin\’ path for its crates.

Its capabilities and design seem to harken back to older, more traditional ransomware variants.

Researchers analyzed various samples of this ransomware and discovered that one of the samples displayed extraordinary capabilities beyond its primary function of file encryption, which is quite uncommon for ransomware.

The sample exhibits functionalities more akin to a general-purpose remote access trojan (RAT) rather than a typical contemporary ransomware executable. Alongside file encryption and ransom note generation, it demonstrates capabilities such as keyboard driver hooking for keystroke logging and system profiling through WMI commands.

Additionally, it checks the system’s language settings and declines to run if the language is set to Russian.

The other known sample exhibits fewer non-ransomware functionalities.

Both samples also contain a hardcoded IP address, associated with Cobalt Strike and crypto mining attacks on internet-facing computers for over a year.

Upon analyzing the most recent version of the malware (version 0.0.9), researchers discovered that it incorporates a Rust AES encryption library and employs AES-256 encryption in cipher-block-chaining (CBC) mode.

Upon execution, the encryptor prompts the affiliate to input a token linked to the victim, typically obtained from the ransomware management panel.
When a token is entered, the encryptor will verify if the token is valid. Once a valid token is provided, the encryptor will request further details from the ransomware affiliate, which will be used during the device encryption process.

The requested information includes a contact email, jabber address, and a 32-character password, which researchers believe is utilized as part of the encryption algorithm.

Before the encryption process, the program presents the attacker with various options to choose from.

  • encrypt all files on the hard drive.
  • encrypt a single drive letter.
  • to quit the program.

After generating the encryption key but before attempting to encrypt files, the malware:

  • Tries to kill all processes from its hardcoded list.
  • Tries to delete the recycler bin by using ‘cmd /Crd /s /q %systemdrive%\$Recycle.bin’
  • Look for network drives.

Once the encryption process is completed, each encrypted file adopts a new format, containing the original filename along with the entered token, provided email, and the ‘Sophos’ extension. Additionally, the ransomware generates a ransom note named information.hta for each folder after encrypting files. This note is automatically launched and contains information about the victim’s files, an explanation of the situation, and the contact details entered by the affiliate before initiating the encryption process.

The Ransomware includes a list of folders and file extensions that avoid encrypting, as well as a list of processes it terminates.

Folders to skip: ‘Boot’ ‘FRST’, ‘KVRT_Data’, ‘KVRT2020_Data’, ‘PerfLogs’, ‘AdwCleaner’, ‘ProgramData’, ‘$Recycle.Bin’, ‘$RECYCLE.BIN’, ‘MSOCache’, ‘Documents and Settings’, ‘Recovery’, ‘System Volume Information’, ‘SYSTEM.SAV’, ‘$Windows.~WS’, ‘$WINDOWS.~WS’, ‘Thumbs’, ‘Pagefile’, ‘Hyberfil’, ‘$WinREAgent’, ‘Program Files’, ‘Program Files (x86)’, ‘$WINDOWS.~BT’, ‘Thumbs.db’, ‘Windows.old’, ‘windows.old’, ‘Windows.old.000’, ‘windows.old.000’, ‘AppData’, ‘dev’.

File extensions to skip: ‘regtrans-ms’, ‘tmp’, ‘ps1’, ‘joker’, ‘ini’, ‘dll’, ‘inf’, ‘ico’, ‘bat’, ‘lnk’,
‘com’, ‘ani’ ‘adv’, ‘cpl’, ‘cur’, ‘rom’, ‘deskthemepack’, ‘diagcab’, ‘diagcfg’, ‘diagpkg’, ‘drv’,
‘log’, ‘hlp’, ‘icl’, ‘icns’, ‘ics’, ‘idx’, ‘ldf’, ‘mod’, ‘mpa’, ‘msc’, ‘msp’, ‘theme’, ‘wpx’, ‘lock’, ‘mkp’,
‘ocx’, ‘msu’, ‘nls’, ‘msstyles’, ‘nomedia’, ‘prf’, ‘rtp’, ‘scr’, ‘shs’, ‘spl’, ‘themepack’, ‘key’, ‘hta’, ‘faust’, ‘Devos’, ‘sophos’, ‘sys’.

Processes to kill: ‘Oracle.exe’, ‘Ocssd.exe’, ‘Dbsnmp.exe’, ‘Synctime.exe’, ‘Agntsvc.exe’, ‘Isqlplussvc.exe’, ‘Xfssvccon.exe’, ‘Mydesktopservice.exe’, ‘Ocautoupds.exe’, ‘Encsvc.exe’, ‘Firefox.exe’, ‘Tbirdconfig.exe’, ‘Mydesktopqos.exe’, ‘Ocomm.exe’, ‘Dbeng50.exe’, ‘Sqbcoreservice.exe’, ‘Excel.exe’, ‘Infopath.exe’, ‘Msaccess.exe’, ‘Mspub.exe’, ‘Onenote.exe’, ‘Outlook.exe’, ‘Powerpnt.exe’, ‘Steam.exe’, ‘Thebat.exe’, ‘Thunderbird.exe’, ‘Visio.exe’, ‘Winword.exe’, ‘Wordpad.exe’, ‘Notepad.exe’, ‘Utweb.exe’, ‘Ut.exe’, ‘Sql.exe’.

The encryption method used by the malware varies based on the file size. For files smaller than 6.4 megabytes, it creates a new file, encrypts the data in chunks using AES-256 in CBC mode, and appends the result to the new file while deleting the original. For larger files, it modifies the original file by replacing its content with encrypted data in chunks and appends the SHA256 of the key at the end.

Screenshot of files encrypted by SophosEncrypt Ransomware. (Source: Surface Web)

Screenshot of Ransomnote by SophosEncrypt Ransomware. (Source: Surface Web)

The ransomware possesses the ability to alter the Windows desktop wallpaper, prominently featuring the ‘Sophos’ brand that it is impersonating. It’s important to note that this wallpaper is entirely created by the threat actors and has no affiliation with the legitimate Sophos cybersecurity company. Ransomware uses this customized wallpaper as part of its strategy to further intimidate and deceive victims during the attack.

SophosEncrypt wallpaper (Source: Surface Web)


  • Detect-Debug-Environment: Debugging environments are used by developers to analyze and troubleshoot software. Ransomware that can detect debug environments may have implemented techniques to evade or disable debugging tools.
  • Overlay: This behaviour of ransomware displays a technique where it places a malicious interface over legitimate applications or websites, tricking users into entering sensitive information or payment details, ultimately enabling attackers to steal data or extort money.
  • The malware’s adaptive encryption approach, depending on file size, suggests a deliberate strategy to optimize efficiency and effectiveness. This versatility enables it to handle files of various sizes, making the encryption process more streamlined and potentially evading detection.
  • The absence of known victims or leak sites indicates that the victims might have paid the ransom amount. Alternatively, the stolen data could have been sold in underground forums or potentially used for malicious purposes.
  • The malware provides the attacker with multiple options for encryption targets, demonstrating a level of customization in its approach. It attempts to terminate specific processes and delete the recycler bin before proceeding with encryption, indicating a deliberate strategy to maximize damage. Additionally, the search for network drives suggests a potential desire for lateral movement and wider impact.
  • The use of a Rust AES encryption library and AES-256 in CBC mode signifies that the malware employs robust encryption techniques. This suggests a higher level of sophistication and potential difficulty in decryption, making it more challenging for victims to recover their encrypted data without the encryption key.
  • The ransomware’s behaviour of avoiding execution in Russian language settings suggests possible ties to Russian-speaking threat actors.

Following are the TTPs based on MITRE Attack Framework.

Sr. No Tactics Techniques/Sub-Techniques
1 TA0002: Execution T1047: Windows Management Instrumentation
T1129: Shared Modules
2 TA0005: Defense Evasion T1027: Obfuscated Files or Information
T1027.005: Obfuscated Files or Information: Indicator Removal from Tools
T1070.004: Indicator Removal: File Deletion
T1140: Deobfuscate/Decode Files or Information
T1497.001: Virtualization/Sandbox Evasion: System Checks
T1562.001: Impair Defenses: Disable or Modify Tools
3 TA0006: Credential Access T1056: Input Capture
4 TA0007: Discovery T1012: Query Registry
T1016: System Network Configuration Discovery
T1057: Process Discovery
T1082: System Information Discovery
T1083: File and Directory Discovery
T1087: Account Discovery
T1497.001: Virtualization/Sandbox Evasion: System Checks
T1518: Software Discovery
5 TA0009: Collection T1056: Input Capture
T1213: Data from Information Repositories
6 TA0011: Command and Control T1071: Application Layer Protocol
T1071.001: Application Layer Protocol: Web Protocols
7 TA0040: Impact T1486: Data Encrypted for Impact
T1490: Inhibit System Recovery

Indicators of Compromise
Kindly refer to the IOCs section to exercise controls on your security systems.


  • Implement competent security protocols and encryption, authentication, or access credentials configurations to access critical systems in your cloud and local environments.
  • Ensure that backups of critical systems are maintained which can be used to restore data in case a need arises.


  • A data breach prevention plan must be developed considering, (a) the type of data being managed by the company; (b) the remediation process; (c) where and how the data is stored; (d) if there is an obligation to notify the local authority.
  • Enable zero-trust architecture and multifactor authentication (MFA) to mitigate the compromise of credentials.
  • Foster a culture of cybersecurity, where you encourage and invest in employee training so that security is an integral part of your organization.


  • Build and undertake safeguarding measures by monitoring/ blocking the IOCs and strengthening defence based on the tactical intelligence provided.
  • Update all applications/software regularly with the latest versions and security patches alike.

Trending Malware of the Week

Type: Spyware
Objective: Espionage, Data Exfiltration Target Technology: Android
Threat Actor: APT41 (aka Winnti, BARIUM, or Double Dragon)

Active Malware of the Week
This week “WyrmSpy and DragonEgg” is trending.

WyrmSpy and DragonEgg
Researchers have identified two sophisticated Android spyware, WyrmSpy, and DragonEgg, which are associated with the prominent Chinese threat group APT41, also known as Winnti, BARIUM, or Double Dragon, which has been predominantly associated with exploiting web-facing applications and traditional endpoint devices. Both WyrmSpy and DragonEgg appear to have sophisticated data collection and exfiltration capabilities, concealing these functions within additional modules that are downloaded after installation. WyrmSpy disguises itself as a default operating system app, while DragonEgg pretends to be a third-party keyboard or messaging application.

APT41’s connection with WyrmSpy and DragonEgg
DragonEgg and WyrmSpy are linked to each other through the use of overlapping Android signing certificates. Some versions of WyrmSpy introduced unique signing certificates that were later observed in use by DragonEgg developers. WyrmSpy played a crucial role in attributing both malware to APT41 by revealing a connection between their command-and- control (C2) infrastructure and Chengdu 404 (a Chinese company). A subdomain, “vpn2.umisen[.]com,” was used by APT41 from 2014 to 2020, and its resolving IP address matches with 14 samples analyzed by researchers, indicating their association.

Additionally, a WHOIS record for “umisen[.]com” from 2015 and 2016 lists one of the individuals mentioned in the indictment as the domain registrant, providing further evidence of APT41’s involvement.

Attack Strategy
The targeting strategy of WyrmSpy and DragonEgg differs significantly. WyrmSpy disguises itself mainly as a default Android system app, initially used for displaying notifications. Later variations of the malware are found in apps pretending to be adult video content, the “Baidu Waimai” food delivery platform, and Adobe Flash. On the other hand, DragonEgg has been detected in apps claiming to be third-party Android keyboards and messaging applications like Telegram.

Researchers have not yet come across any samples of these malware in the wild, and they believe they are distributed to victims through social engineering campaigns with moderate confidence. Google has confirmed that, as of the current detection measures, no apps containing this malware are available on Google Play.

Technical analysis of WyrmSpy and DragonEgg WyrmSpy
Once installed and launched, Wyrmspy utilizes known rooting tools to gain elevated privileges on the device and carry out surveillance tasks as instructed by its command-and- control (C2) servers. These tasks involve uploading log files, photos, and obtaining the device’s location using the Baidu Location library.

While additional modules from the C2 infrastructure were not accessible during the discovery, it is highly likely that a secondary payload is employed by the malware to execute further surveillance functions. This is supported by the permissions acquired by WyrmSpy, which are not utilized in the app’s code, indicating capabilities to exfiltrate additional data like SMS and audio recordings.

Furthermore, configuration files used by the malware also reinforce this assumption, with references to “AudioRecord” and “Files” being set to true or false based on the received commands.

Data Collection by WyrmSpy

  • Log files
  • Photos
  • Device location
  • SMS messages (read and write)
  • Audio recording

Communications with C2 and configuration files
WyrmSpy operates based on commands received from its C2 and configuration files, determining its actions on the compromised device and the data it gathers. It remains uncertain whether these commands are automated or require direct human interaction, as the server-side code is inaccessible from the C2. The configuration files are created and populated by WyrmSpy on startup and form the basis of the behavior on an infected device. As the malware interacts with the device and receives instructions from its C2, it modifies the configuration files accordingly.Other configuration files contain details about the C2, metadata, and identifiers initially collected about the infected device. A file named “ManifestFile.json” is obtained from the C2, specifying C2 beaconing intervals, lists of files for upload and download, as well as a list of shell commands to execute on the device.

Rooting the device
WyrmSpy utilizes popular rooting tools like KingRoot11 and IovyRoot/IvyRoot12. It can also disable SELinux on compatible Android versions to access data that might otherwise be inaccessible. In cases where the included rooting tools fail to work or are not present, and if the device is not already rooted, the malware communicates with the C2 infrastructure, providing the model and kernel version of the infected device.

The C2 responds with a filename, which the malware uses to download additional rooting binaries from the C2 infrastructure if they exist for the specified device.

DragonEgg, similar to WyrmSpy, relies on additional payloads to fully implement its surveillance capabilities. It acquires a payload named “smallmload.jar” from the C2 infrastructure or bundled within the APK to execute additional functionalities. Like WyrmSpy, DragonEgg requests extensive permissions for services not directly related to its core app.

To avoid detection and access valuable device data, APT41 disguises its surveillance activities by trojanizing legitimate chat apps like Telegram. By concealing surveillance functionality within fully-functional apps, the threat actor can maintain a low profile while the app is running on the device or being analyzed by researchers. Messaging apps typically request access to sensitive device data, making it easier for the malware to remain unnoticed during its operations.

DragonEgg uses “smallmload.jar” as a secondary payload to load a “forensics program (T1 version)” tertiary module, a term commonly used by Chinese-speaking defense or software development firms for surveillance tools. Unfortunately, at the time of analysis, DragonEgg’s command-and-control (C2) infrastructure was offline, preventing researchers from obtaining the “T1” forensics tool loaded by the core application.

Data Collection by DragonEgg

  • Device contacts
  • SMS messages
  • External device storage files
  • Device location
  • Audio recording
  • Camera photos


  • In recent years, APT41 has shown an increasing interest in mobile platforms, recognizing their rising importance and potential vulnerabilities. This shift has led to the development and use of advanced spyware strains, WyrmSpy and DragonEgg, showcasing the group’s growing sophistication in their malware arsenal. APT41’s investment in these tools highlights the attractiveness of mobile devices as valuable targets containing valuable corporate and personal data.
  • The evolving strategies of APT41 and their focus on mobile-based attacks pose a rising threat to Android devices. The presence of sophisticated Android malware like WyrmSpy and DragonEgg underlines the danger. The use of additional modules by these surveillance tools makes detection challenging for researchers. Both personal and corporate mobile users must be extra vigilant and adopt strong security measures to defend against these advanced threats. Timely updates and proactive measures are essential to safeguard Android devices.

Indicators of Compromise
Kindly refer to the IOCs Section to exercise controls on your security systems.


  • Implement Mobile Device Management (MDM) policy to enhance corporate data security by monitoring, managing, and securing mobile devices such as laptops, smartphones, and tablets that are used in enterprises.
  • Maintain an up-to-date inventory of all active software used within the organization and perform regular self-audit of workstations, servers, laptops, mobile devices to identify unauthorized/ restricted software.
  • Configure organization’s intrusion detection systems (IDS), intrusion prevention systems (IPS), or any network defence mechanisms in place to alert on — and upon review, consider blocking connection attempts to and from — the external IP addresses and domains listed in the appendix.


  • Regularly reinforce awareness related to different cyberattacks using impersonated domains/spoofed webpages with end-users across the environment and emphasize the human weakness in mandatory information security training sessions.
  • Provide your staff with basic cybersecurity hygiene training since many targeted attacks start with phishing or other social engineering techniques.
  • Enforce a strong password policy based on industry best practices and baseline that meets password length, complexity, history, change frequency, and other secure password requirements.


  • Build and undertake safeguarding measures by monitoring/ blocking the IOCs and strengthening defence based on the tactical intelligence provided.
  • Always listen to the research community and customer feedback when contacted about potential vulnerabilities detected in your infrastructure, or related compliance issues.
  • Enforce policies to restrict installation of third-party software.

Weekly Intelligence Trends/Advisory

Weekly Attack Type and Trends Key Intelligence Signals:

  • Attack Type: Malware Implants, Spear Phishing, Ransomware Attacks, Vulnerabilities & Exploits, Data Leaks.
  • Objective: Unauthorized Access, Data Theft, Data Encryption, Financial Gain.
  • Business Impact: Data Loss, Financial Loss, Reputational Damage, Loss of Intellectual Property, Operational Disruption.
  • Ransomware –Play Ransomware | Malware –WyrmSpy and DragonEgg
  • Play Ransomware – One of the ransomware groups.
  • Please refer to the trending malware advisory for details on the following:
  • Malware –WyrmSpy and DragonEgg
  • Behavior –Most of this malware uses phishing and social engineering techniques as its initial attack vector. Apart from these techniques, exploitation of vulnerabilities, defence evasion, and persistence tactics are being observed.

Threat Actor in Focus
Cryptocurrency-Focused North Korean Cyber Group UNC4899 Targets Supply Chain in Recent Attack

  • Threat Actors: UNC4899 aka Lazarus Group
  • Attack Type: Spear Phishing
  • Objective: Financial Gain
  • Target Technology: Windows and Mac OS
  • Target Geographies: USA
  • Target Industries: IT Industry
  • Business Impact: Financial Loss

Recently researchers discovered a compromised supply chain affecting a US-based software solutions entity. It was found the threat actor behind the attack has connections with North Korea and has a history of attacking cryptocurrency firms. They are known by the name UNC4899. The attack began with a sophisticated spear- phishing campaign aimed at JumpCloud; a zero-trust directory platform, used for identity and access management. The compromise impacted fewer than five customers and less than ten devices. UNC4899 is believed to be a part of the Reconnaissance General Bureau (RGB); a cryptocurrency-focused element within the Democratic People’s Republic of Korea (DPRK). The attackers gained initial access by inserting malicious code into JumpCloud’s commands framework, deploying a lightweight Ruby script that downloaded and executed a second-stage payload. The attackers used various backdoors, including FULLHOUSE.DOORED and STRATOFEAR, to establish persistence and communicate with command and control (C2) servers. TIEDYE, a related backdoor, was also identified. Researchers observed UNC4899 using VPN providers, such as ExpressVPN and NordVPN, to obscure their source addresses. However, due to operational security mistakes, they occasionally exposed their true IP addresses, revealing connections to North Korea. UNC4899’s targeting shows a strong interest in the cryptocurrency field, with overlaps in tactics and infrastructure observed among multiple North Korean groups, under the RGB umbrella.


  • JumpCloud’s CISO; BOB Phan confirmed the detection of the attack and said, “The analysis also confirmed suspicions that the attack was extremely targeted and limited to specific customers”. The intrusion impacted a small set of customers, prompting JumpCloud to reset admin API keys and notify affected clients. While the exact number of affected customers and the specific organizations targeted remains undisclosed. JumpCloud serves over 180,000 organizations and has more than 5,000 paying customers, including prominent names like Cars.com and GoFundMe.
  • DPRK cryptocurrency units are persistently engaged in the advancement of macOS malware and enhancing their capabilities to specifically target high-value individuals, operating within the cryptocurrency industry, along with the software solutions integral to their operations. This poses a significant threat to the security and integrity of the cryptocurrency ecosystem, requiring vigilant monitoring and defensive measures to safeguard against potential attacks.

Indicators of Compromise
Kindly refer to the IOCs (Indicators of Compromise) Section to exercise controls on your security systems.

Major Geopolitical Developments in Cybersecurity

Government of Norway was targeted by a zero-day attack.
Norway continues its investigation of the zero-day attack, which was suffered by twelve of its ministries, all of whom share a common ICT platform. Governmental bodies using a different platform, namely The Prime Minister’s Office, the Ministry of Defense, the Ministry of Justice, and the Ministry of Foreign Affairs, were not affected in the attack. The attack has as of writing not yet been attributed to a specific threat actor, however, analysts are pointing out Russia, which has a recent track record of cyberattacks against neighbors of Norway, which is at odds with NATO’s expansion in the region (Norway is a founding member of the treaty). Norway is also Europe’s largest oil producer, effectively displacing Russian hydrocarbons in EU imports, after the start of the Russian attack on Ukraine, of which Norway is a strong supporter. The zero-day itself is tracked as CVE-2023-35078, an authentication bypass vulnerability afflicting all supported versions of Ivanti’s EPMM mobile device management software (formerly known as MobileIron Core)..

Russian breaches defense industry in Ukraine and Eastern EU

  • The defense sector in Ukraine and Eastern Europe has been targeted by a novel .NET-based backdoor, capable of delivering next-stage payloads in an attack attributed to the Russian nation-state actor known as Turla, which is also tracked under the names Iron Hunter, Venomous Bear, and Waterbug and which is linked to Russia’s Federal Security Service (FSB).
  • The malware is distributed via email containing malicious macros with the ultimate goal of the attacks being, the exfiltration of messages from the Signal messaging app for Windows, enabling the attackers to access sensitive conversations, documents, and images on targeted devices. The defense industry remains a key bottleneck in the Western effort to aid Ukraine in its defense against Russian aggression and is thus a prime target for cyber-attacks.
  • The information was revealed when the Ukrainian Cyber Police dismantled a large bot farm with over 100 persons, who were reportedly disseminating hostile propaganda and engaged in different fraud schemes, while also exposing personal data belonging to Ukrainian nationals. A total of 21 sites were searched as part of the operation, and items seized included computers, mobile phones, more than 250 GSM gateways, and around 150,000 SIM cards from various mobile providers.

Rise in Malware/Ransomware and Phishing
Centennial Management is Impacted by Play Ransomware

  • Attack Type: Ransomware
  • Target Industry: Real estate
  • Target Geography: The United States of America
  • Ransomware: Play Ransomware
  • Objective: Data Theft, Data Encryption, Financial Gains
  • Business Impact: Financial Loss, Data Loss, Reputational Damage

From the External Threat Landscape Management (ETLM) Perspective, CYFIRMA observed in the dark forum that a company from the United States of America, (www[.]centennialinvestments[.]com), was compromised by Play Ransomware. Centennial Management Corp is a full-service real estate management company with vast experience in all aspects of property management, particularly affordable housing. The data that has been compromised includes confidential and personal information, such as client and employee documents, IDs, contracts, financial records, tax information, and more.

The following screenshot was observed published on the dark web:

Source: Dark Web


  • From our observations throughout 2023, it is evident that the Play Ransomware group predominantly focuses on targeting organizations in the USA, making up 40% of their primary objectives.
  • We observed that Play ransomware is targeting Microsoft Exchange servers in its recent operations, through critical vulnerabilities (CVE-2022-41080 – CVSS 8.8 and CVE-2022-41082 – CVSS 8.8) which can lead to remote code execution and remote privilege escalation on the servers.

Vulnerabilities and Exploits

Vulnerability in AXIS A1001

  • Attack Type: Vulnerabilities & Exploits
  • Target Technology: Hardware Solutions
  • Vulnerability: CVE-2023-21406 (CVSS Base Score 7.1)
  • Vulnerability Type: Heap-based Buffer Overflow

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error within the Open Supervised Device Protocol (OSDP). A remote attacker on the local network can pass specially crafted data to the application, trigger a heap-based buffer overflow and execute arbitrary code on the target system.

Impact :
Successful exploitation of this vulnerability may result in the complete compromise of vulnerable systems.

Affected Products:
https[:]//www[.]axis[.]com/dam/public/1b/21/5f/cve-2023-21406-en-US- 407245[.]pdf

Latest Cyber-Attacks, Incidents, and Breaches
SiegedSec Hacktivist Asserts Responsibility for Targeting NATO and Exposing Confidential Documents.

  • Threat Actors: SiegedSec
  • Objective: Operational Disruption
  • Target Technology: Web Application
  • Target Geographies: NATO countries
  • Target Industries: Military alliance
  • Business Impact: Operational Disruption

The cyber-activist collective known as “SiegedSec” initiated a cyber offensive against NATO, asserting that they successfully infiltrated its COI portal. As a result of the breach, they have exposed a substantial cache of sensitive documents intended for NATO nations and partners. The leaked data includes comprehensive details, such as full names, email addresses, phone numbers, office addresses, and ranks of at least 70 NATO officials. SiegedSec has risen as a substantial cyber menace, motivated by a combination of hacktivism and personal interests. As per SiegedSec’s claim, the motive behind the NATO hack is the alleged violation of human rights by NATO.

Source: Telegram Channel

The purported assault on NATO’s COI portal represents a concerning escalation in SiegedSec’s methods. Their modus operandi frequently involves pilfering and disclosing confidential data from reputable and widely recognized companies or organizations to attract attention and obtain free publicity.

Data Leaks
DBA Tecnologia Data Advertised in Leak Site

  • Attack Type: Data Leak
  • Target Industry: Manufacturing
  • Target Geography: Brazil
  • Target Technology: SQL Database
  • Objective: Data Theft, Financial Gains
  • Business Impact: Data Loss, Reputational Damage

CYFIRMA Research team observed a potential data leak related to DBA Tecnologia,
{www[.]dbatecnologia [.]com.[br]}. DBA Tecnologia is a company that operates in the Machinery industry. The company is headquartered in Brazil. The data that was exposed consists of sensitive information in SQL format, totalling 6GB in size.

Source: Underground forums

There are constantly vigilant cybercriminals driven by financial motives, who actively seek out exposed and vulnerable systems and applications. Most of these attackers operate in clandestine online communities, engaging in discussions and trading stolen digital assets. Unlike ransomware or extortion groups that often publicize their attacks, these attackers prefer to work discreetly. They exploit unpatched systems or vulnerabilities in applications to gain unauthorized access and pilfer valuable data. The stolen information is subsequently advertised, sold, and repurposed by other attackers for their own malicious purposes.

Other Observations

CYFIRMA Research team observed a potential data leak related to RRG Group, {www[.]rrg-group[.]com}. RRG Group is a company that operates in the Automotive industry. The company is headquartered in England. The data released to the public comprises a customer database, containing customers’ IDs, first names, last names, gender, date of birth (DOB), nationality, marital status, number of dependents, occupations, employment status, and various other sensitive details.

Source: Underground forums


  • Attack Surface Management should be adopted by organizations, ensuring that a continuous closed-loop process is created between attack surface monitoring and security testing.
  • Deploy a unified threat management strategy – including malware detection, deep learning neural networks, and anti-exploit technology – combined with vulnerability and risk mitigation processes.
  • Incorporate Digital Risk Protection (DRP) in the overall security posture that acts as a proactive defence against external threats targeting unsuspecting customers.
  • Implement a holistic security strategy that includes controls for attack surface reduction, effective patch management, active network monitoring, through next generation security solutions and ready to go incident response plan.
  • Create risk-based vulnerability management with deep knowledge about each asset. Assign a triaged risk score based on the type of vulnerability and criticality of the asset to help ensure that the most severe and dangerous vulnerabilities are dealt with first.


  • Take advantage of global Cyber Intelligence providing valuable insights on threat actor activity, detection, and mitigation techniques.
  • Proactively monitor the effectiveness of risk-based information security strategy, the security controls applied and the proper implementation of security technologies, followed by corrective actions remediations, and lessons learned.
  • Move beyond the traditional model of security awareness towards improved simulation and training exercises that mimic real attack scenarios, account for behaviours that lead to a compromised, and, are measured against real attacks the organization receives.
  • Consider implementing Network Traffic Analysis (NTA) and Network Detection and Response (NDR) security systems to compensate for the shortcoming of EDR and SIEM solutions.
  • Detection processes are tested to ensure awareness of anomalous events. Timely communication of anomalies and continuously evolved to keep up with refined ransomware threats.


  • Patch software/applications as soon as updates are available. Where feasible, automated remediation should be deployed since vulnerabilities are one of the top attack vectors.
  • Consider using security automation to speed up threat detection, improved incident response, increased the visibility of security metrics, and rapid execution of security checklists.
  • Build and undertake safeguarding measures by monitoring/ blocking the IOCs and strengthen defences based on tactical intelligence provided
  • Deploy detection technologies that are behavioural anomaly-based to detect ransomware attacks and help to take appropriate measures.
  • Implement a combination of security control such as reCAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart), Device fingerprinting, IP backlisting, Rate-limiting, and Account lockout to thwart automated brute-force attacks.
  • Ensure email and web content filtering uses real-time blocklists, reputation services, and other similar mechanisms to avoid accepting content from known and potentially malicious sources.
This site is registered on wpml.org as a development site. Switch to a production site key to remove this banner.