Weekly Intelligence Report – 30 June 2023

Published On : 2023-06-30
Share :
Weekly Intelligence Report – 30 June 2023

1. Ransomware of the Week

CYFIRMA Research and Advisory Team would like to highlight ransomware trends and insights gathered while monitoring various forums. This includes multiple – industries, geography, and technology – which could be relevant to your organization.

Type: Ransomware.
Target Technologies: MS Windows.
Target Geography: Australia, Austria, Chile, Canada, France, Germany, Italy, United States, United Kingdom, Netherlands, Spain, Switzerland.

Target Industry: Business Services, Consumer Services, Education, Food & Beverage, Government, Manufacturing, Software.


CYFIRMA Research and Advisory Team has found a new ransomware known as Rhysida while monitoring various underground forums as part of our Threat Discovery Process.

Relevancy: From the onset of its operation, the ransomware has targeted various industries, recent victims include:

  • Consumer Services industry in Spain.
  • Food & Beverage, Education industries in Germany.

This ransomware specifically targets the widely used Windows Operating System, which is prevalent across numerous industries and organizations.


Rhysida is a recently emerged ransomware family, written in C++.

The team presents itself as a “cybersecurity team” aiming to assist their targets by identifying vulnerabilities in their systems and emphasizing the potential consequences of these security issues. Ransomware is deployed through diverse methods, and one of the common approaches involves leveraging phishing campaigns.
The group adopts a similar approach to modern-day multi-extortion groups by coercively warning victims of potential public distribution of the exfiltrated data, aiming to pressure them into compliance.

When executed, the ransomware initiates a cmd.exe window, scanning through all files on local drives. Once the files are encrypted, the ransomware appends the “.rhysida” extension to them. The ransom notes generated by the ransomware are created as PDF documents with the name

“CriticalBreachDetected.pdf” and are saved within the affected folders on the targeted drives.
Victims receive instructions to reach out to the attackers through a TOR-based portal, using the unique identifier provided in the ransom notes. The ransomware exclusively accepts BTC (Bitcoin) payments and guides victims on purchasing and utilizing BTC through the victim portal. To facilitate authentication and communication, victims are prompted to provide additional information through a form on the payment portal, using their unique ID.

The Ransomware payloads employ the ChaCha20 encryption algorithm for encrypting files., which is much faster than more commonly used algorithms employed by ransomware operators.
The Rhysida developers leveraged the functionality of the open-source library called LibTomCrypt to construct the encryption modules within the ransomware’s payload. After successfully encrypting files using the Chacha20 encryption algorithm, the authors employed RSA-4096-OAEP to encrypt the Chacha20 keys.
When keys get encrypted with RSA, the authors use the CHC hash as entropy for the cipher IVs.

Upon execution, Rhysida excludes files with the following extensions from encryption:
.bat, .bin, .cab, .cmd, .com, .cur, .diagcab, .diagcfg, .diagpkg, .drv, .dll, .exe, .hlp, .hta, .ico, .lnk, .ocx, .ps1, .psm1, .scr, .sys, .ini, Thumbs.db, .url, .iso

Rhysida excludes the following directories:

  • $Recycle.Bin
  • Boot
  • Documents and Settings
  • PerfLogs
  • Program Files
  • Program Files (x86)
  • ProgramData
  • Recovery
  • System Volume Information
  • Windows

Screenshot of a Ransom note of Rhysida Ransomware. (Source: Surface Web)

Countries Targetted by Rhysida Ransomware.


  • Detect-Debug-Environment: Debugging environments are used by developers to analyze and troubleshoot software. Ransomware that can detect debug environments may have implemented techniques to evade or disable debugging tools.
  • The use of idle periods may indicate that the ransomware is designed to operate more stealthily, waiting for the computer to be idle before encrypting files or performing other malicious activities.
  • By checking the CPU name, the ransomware can gather information about the victim’s computer hardware. This insight can help the attackers determine the system’s compatibility with specific exploit techniques or identify potential vulnerabilities to exploit.
  • The analysis of the victim’s list suggests a potential focus on European targets by the ransomware.
  • The use of the CHC hash as entropy for cipher IVs in the encryption process suggests that the Rhysida ransomware developers have implemented a technique to enhance the randomness and security of the initialization vectors. By using a cryptographic hash function like CHC, they can generate strong and unpredictable IVs, which adds an additional layer of protection to the encryption algorithm.

Following are the TTPs based on MITRE Attack Framework.

Sr. No. Tactics Techniques/Sub-Techniques
1 TA0001: Initial Access T1566: Phishing
2 TA0002: Execution T1059: Command and Scripting Interpreter
T1129: Shared Modules
3 TA0003: Persistence T1547.001: Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
4 TA0004: Privilege Escalation T1055: Process Injection
T1055.003: Process Injection: Thread Execution Hijacking
T1547.001: Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
5 TA0005: Defense Evasion T1027: Obfuscated Files or Information
T1027.005: Obfuscated Files or Information: Indicator Removal from Tools
T1036: Masquerading
T1055: Process Injection
T1055.003: Process Injection: Thread Execution Hijacking
T1497: Virtualization/Sandbox Evasion
T1564: Hide Artifacts
T1564.004: Hide Artifacts: NTFS File Attributes
T1620: Reflective Code Loading
6 TA0007: Discovery T1010: Application Window Discovery
T1057: Process Discovery
T1082: System Information Discovery
T1083: File and Directory Discovery
T1497: Virtualization/Sandbox Evasion
T1518.001: Software Discovery: Security Software Discovery
7 TA0009: Collection T1005: Data from Local System
T1119: Automated Collection
8 TA0011: Command and Control T1071: Application Layer Protocol
T1071.001: Application Layer Protocol: Web Protocols
9 TA0040: Impact T1486: Data Encrypted for Impact

Indicators of Compromise
Kindly refer to the IOCs section to exercise controls on your security systems.


  • Implement competent security protocols and encryption, authentication, or access credentials configurations to access critical systems in your cloud and local environments.
  • Ensure that backups of critical systems are maintained which can be used to restore data in case a need arises.


  • A data breach prevention plan must be developed considering, (a) the type of data being managed by the company; (b) the remediation process; (c) where and how the data is stored; (d) if there is an obligation to notify the local authority.
  • Enable zero-trust architecture and multifactor authentication (MFA) to mitigate the compromise of credentials.
  • Foster a culture of cybersecurity, where you encourage and invest in employee training so that security is an integral part of your organization.


  • Build and undertake safeguarding measures by monitoring/ blocking the IOCs and strengthen defences based on tactical intelligence provided.
  • Update all applications/software regularly with the latest versions and security patches alike.

2. Trending Malware of the Week

Type: Trojan
Objective: Stealing Banking Credentials & Financial Information Stealing
Target Geography: U.S, U.K, Germany, Austria, and Switzerland
Target Industry: Banking sector Target
Technology: Android
Active Malware of the Week
This week “Anatsa” is trending.


Researchers have discovered a new mobile malware campaign targeting online banking customers in the United States, United Kingdom, Germany, Austria, and Switzerland. The campaign utilizes an Android banking trojan called ‘Anatsa’ and the attackers are distributing their malware via the Play Store, Android’s official app store, and already have over 30,000 installations via this method alone.

The malware campaign involved malicious apps disguised as PDF viewers, office suites and productivity tools. Despite removals by Google, new droppers were consistently uploaded by the attackers. The dropper apps fetched Anatsa payload from GitHub, pretending to be text recognizer add-ons. Anatsa then collected sensitive financial data through phishing overlays and keylogging, targeting nearly 600 banking apps worldwide. The trojan automated fraudulent transactions using the stolen information, making detection by anti-fraud systems challenging. Stolen funds were converted to cryptocurrency and transferred through a network of money mules, with a portion kept by the mules as revenue and the remainder sent to the attackers.

Progression of Anatsa

In March 2023, Researchers discovered a new campaign by the Anatsa malware after a six-month break. The campaign involved a dropper application disguised as a PDF reade on the Google Play Store. Once installed, the dropper would request a download URL from a GitHub page, obtaining the payload that masqueraded as an add-on. This technique was consistent with previous campaigns by Anatsa.

After the initial dropper posing as a PDF viewer was reported and removed from the Google Play Store, the attackers persisted and released another dropper in the form of a PDF viewer one month later. This indicated a continuation of the same campaign, with the payloads still disguised as add-ons. The observed selection of disguises for these malicious applications confirms the ongoing trend we notice on Google Play. Following the restriction of the “REQUEST_INSTALL_PACKAGES” permission, droppers tend to mimic applications associated with file management.

The actors behind the Anatsa campaign were able to release multiple droppers on the Google Play Store, even after some were reported and removed. Despite the removal of certain droppers, the attackers quickly released new ones, with a turnaround time of a few days to a couple of weeks. Additionally, at the time of writing, a new Anatsa dropper had been discovered and was still online. The speed and persistence of the attackers in publishing new droppers demonstrate their determination to continue the distribution campaign.

During the Anatsa campaign, each dropper released on the Google Play Store was updated after its initial publication, likely to add additional malicious functionality. The actors behind the campaign employed multiple developer accounts to publish several apps simultaneously, with only one acting as the malicious dropper while the others served as backups. This tactic enabled the attackers to maintain long-running campaigns and minimize the time required to publish new droppers and continue the distribution of the malware.

Attack Method

The Anatsa malware campaign begins by distributing the payload through malicious apps on the Google Play Store. Victims are led to these apps through deceptive advertisements that appear less suspicious as they direct users to the official store.

Once infected, Anatsa collects sensitive information using overlay attacks and keylogging, including credentials, credit card details, and payment information. This data is then used by the attackers to engage in Device-Takeover Fraud (DTO) and perform transactions on behalf of the victims. The fact that the transactions are initiated from the same device used by the targeted bank customers makes it challenging for banking anti-fraud systems to detect fraudulent activity.

Targeted Countries

Researchers monitoring the Anatsa malware campaign since 2020 and has observed changes in the attackers’ focus and target lists over time. In the latest iteration of the campaign, there is a strong emphasis on targeting banking institutions in the DACH region, particularly in Germany. This is reflected in the regions where the distribution droppers are released. However, Anatsa remains active in the US and UK as well. The target list has expanded to include more than 90 new applications compared to the previous year, with additions from countries such as Germany, Spain, Finland, South Korea, and Singapore.

While the droppers may not be distributed in all these countries, it indicates the attackers’ plans to potentially target those regions and gain insights into the internal structure of banking applications. Additionally, the targeting of significant minorities in these countries cannot be ruled out as a potential motive.


  • Anatsa is a sophisticated and persistent malware that poses a significant challenge to banking anti-fraud systems. It utilizes frequent updates and the simultaneous release of multiple apps under different developer accounts to maintain its malicious campaign. The malware evolves continuously to evade detection and exploit vulnerabilities in banking systems. Its adaptability makes it a challenging threat to mitigate and emphasizes the need for proactive defense measures.
  • Anatsa malware is highly relevant in today’s digital landscape due to its significant impact on the banking and financial sector. Its ability to quickly infect and compromise legitimate apps poses a severe threat to users’ sensitive information and financial assets. With the increasing reliance on mobile banking and digital transactions, the potential consequences of Anatsa’s credential theft become even more alarming.
  • The rapid spread and continuous innovation of Anatsa underscore the urgent need for robust and proactive security measures. It is crucial for banks, financial institutions, and individuals alike to remain vigilant and stay informed about the latest threats in order to effectively counteract this malware.

Indicators of Compromise
Kindly refer to the IOCs Section to exercise controls on your security systems.


  • Implement Mobile Device Management (MDM) policy to enhance corporate data security by monitoring, managing, and securing mobile devices such as laptops, smartphones, and tablets that are used in enterprises.
  • Maintain an up-to-date inventory of all active software used within the organization and perform regular self-audit of workstations, servers, laptops, mobile devices to identify unauthorized/ restricted software.


  • Regularly reinforce awareness related to different cyberattacks emanating from impersonated apps, fake browser extensions, etc., with end-users across the environment and emphasize the human weakness in mandatory information security training sessions.
  • Provide your staff with basic cybersecurity hygiene training since many targeted attacks start with phishing or other social engineering techniques.
  • Security Awareness training should be mandated for all company employees. The training should ensure that employees:
    • Avoid downloading and executing files from unverified sources. Avoid free versions of paid software.
    • Always inspect the full URL before downloading files to ensure it matches the source (e.g., Microsoft Team should come from a Microsoft domain).
    • Inspect file extensions. Do not trust the filetype logo alone. An executable file can be disguised as a PDF or office document.


  • Build and undertake safeguarding measures by monitoring/ blocking the IOCs and strengthening defence based on the tactical intelligence provided.
  • Ensure robust encryption for critical data, alongside strong policies to govern the storage, usage, and transmission of such data.
  • Ensure that all third-party apps are downloaded from trusted sources and updated to their latest versions.
  • Protect all accounts with strong passwords and multi-factor authentication.
  • Enforce policies to restrict installation of third-party software.

3. Weekly Intelligence Trends/Advisory

1. Weekly Attack Type and Trends

Key Intelligence Signals:

  • Attack Type: Malware Implants, Ransomware Attacks, Vulnerabilities & Exploits, Data Leaks.
  • Objective: Unauthorized Access, Data Theft, Data Encryption, Financial Gains, Espionage.
  • Business Impact: Data Loss, Financial Loss, Reputational Damage, Loss of Intellectual Property, Operational Disruption.
  • Ransomware – Play Ransomware | Malware – Anatsa Play Ransomware – One of the ransomware groups.
  • Please refer to the trending malware advisory for details on the following: Malware – Anatsa
  • Behavior –Most of this malware uses phishing and social engineering techniques as its initial attack vector. Apart from these techniques, exploitation of vulnerabilities, defence evasion, and persistence tactics are being observed.

Threat Actor in Focus

Chinese APT Camaro Dragon aka Mustang Panda Strikes Health Care Industry

  • Threat Actors: Camaro Dragon aka Mustang Panda
  • Attack Type: USB-based malware implant
  • Objective: Espionage
  • Target Technology: Windows
  • Target Geographies: Asia, Russia, and Great Britain
  • Target Industries: Healthcare
  • Business Impact: Data Loss

A recent cyber-attack on a European hospital revealed that the observed malicious activity was likely unintended and resulted from the widespread propagation of Camaro Dragon’s self-propagating malware through USB drives. Camaro Dragon, a Chinese- based espionage threat actor, primarily targets Southeast Asian countries and associated foreign entities. The threat actor’s tactics, techniques, and procedures (TTPs) and resources bear resemblance to those of other Chinese threat actors, namely Mustang Panda and LuminousMoth. During the recent campaign, multiple updated versions of the malware toolset were identified, featuring similar capabilities for spreading via USB. These tools, named WispRider and HopperTick, are linked to other recently discovered tools, attributed to the same threat actor, including a Go- based backdoor known as TinyNote and a malicious router firmware implant called HorseShell. These tools share infrastructure and operational objectives. The primary variant of the malware, WispRider, has undergone significant revisions. In addition to its backdoor functionalities and USB-propagation abilities through the HopperTick launcher, the payload incorporates additional features. Notably, it includes a bypass mechanism for SmadAV, a popular antivirus solution in Southeast Asia. The malware also utilizes DLL-side-loading techniques, using components from security software such as G-DATA Total Security, as well as two prominent gaming companies, Electronic Arts and Riot Games.


  • A month ago, the same threat actor was observed piloting another campaign, where the threat actor deployed modified TP-Link router firmware images, containing a malicious implant called “Horse Shell.” The implant’s main three key capabilities were Remote shell: Which allows the attacker to execute arbitrary shell commands on the compromised router, File transfer: Which enables the uploading and downloading of files to and from the infected router and SOCKS tunneling: Which facilitates the relay of communication between various clients.
  • Chinese threat actors, specifically Camaro Dragon, persistently exploit USB devices, to propagate malware, underscoring the importance of safeguarding against this infection vector. It is crucial for organizations, even those not directly targeted in these campaigns, to prioritize measures to mitigate the risks associated with USB-based attacks.

Indicators of Compromise
Kindly refer to the IOCs (Indicators of Compromise) Section to exercise controls on your security systems.

Major Geopolitical Developments in Cybersecurity

North Korean hackers eavesdropping on individuals in South Korea

  • In a recent cyberespionage campaign by North Korea’s APT37 (also known as Reaper or RedEyes), the state-sponsored threat actor has been observed using FadeStealer – a strain of malware, which includes eavesdropping capability, taking control of the affected device’s microphone to collect ambient speech and other sounds.
  • The threat actor seems to be interested in the surveillance of individuals located in South Korea, whom Pyongyang regards as hostile to its interests. Among the individuals targeted by APT37 are defectors from the North Korean regime, human rights activists, or university professors. The attack begins with a spearphishing email which can install a backdoor after interaction with the targeted individual. The next stage involves the installation of a second backdoor, which facilitates subsequent privilege escalation, exfiltration, and malware installation. The final malware is then used to collect and exfiltrate information.

Ukrainian hackers break into Russian radio broadcasts to sow panic
Ukrainian cyber auxiliaries have recently been increasingly targeting Russian radio broadcasts in cyber-enabled information operations, inserting messages; exploiting the chaos in informational space in the recent mutiny by part of the Russian military. The Russian-army-supported and armed private military company Wagner under the leadership of businessman Yevgeny Prigozhin with ties to the Kremlin has mutinied taken over a large Russian military command building and even staged several hundred-kilometer drives towards the Russian capital, during which it shot down multiple aircraft, operated by the Russian army. The pro-Ukranian hacks preceded the mutiny, however, the hackers were also able to exploit the chaos in the informational space, created by a lack of coordinated response by the Russian government and inserted a message that Russia had declared full mobilization and martial law in response to a large-scale invasion of Russia. The operation gained enough traction to draw an official denial from Kremlin spokesman; Dmitry Peskov.

Intel report on a Russian foreign intelligence run threat actor
Researchers have recently published an intel report, profiling NOBELIUM, currently known as Midnight Blizzard, which is an APT run by SVR – the Russian Foreign Intelligence Service. According to the intel, this actor targets government agencies, non-governmental organizations, and diplomatic personnel in an intelligence-gathering operation. The actor is sophisticated enough to utilize diverse initial access methods, ranging from stolen credentials to supply chain attacks, exploitation of on-premise environments to laterally move to the cloud, exploitation of service providers’ trust chain to gain downstream customers, as well as ADFS malware known as FOGGYWEB and MAGICWEB.

Update on a recent Chinese state-sponsored hack
Researchers have recently provided details on the vulnerability found in Barracuda’s Email Security Gateway (ESG) which is suspected to be perpetrated by UNC4841, a known and aggressive and highly skilled actor conducting targeted activity most likely on behalf of the Chinese government. The actor has recently been focusing on targets in the United States, Norway, Taiwan, and Poland, mostly attacking academic institutions, defense industrial bases, and governmental organizations in an attempt at cyber-espionage-enabled data exfiltration. In the past, the threat actor also exhibited a sustained focus on scientific research, energy entities, and public health data.

4. Rise in Malware/Ransomware and Phishing

Hill International is Impacted by Play Ransomware

  • Attack Type: Ransomware
  • Target Industry: Construction
  • Target Geography: The United States of America
  • Ransomware: Play Ransomware
  • Objective: Data Theft, Data Encryption, Financial Gains
  • Business Impact: Financial Loss, Data Loss, Reputational Damage

From the External Threat Landscape Management (ETLM) Perspective, CYFIRMA observed in the dark forum that a company from The United States of America, (www[.]hillintl[.]com), was compromised by Play Ransomware. Hill International provides program and project management, construction management, cost engineering and estimating, quality assurance, inspection, scheduling, risk management, and claims avoidance to clients involved in major construction projects worldwide. The data breach includes sensitive and confidential information such as private and personal data, documents related to clients and employees, financial records, technical documentation, passports, identification cards, tax information, financial details, and more.

The following screenshot was observed published on the dark web:

Source: Dark Web


  • To gain initial access to a company’s network, the PLAY Ransomware group makes use of a known valid account, exposed RDP servers, and unpatched Fortinet SSL VPN vulnerabilities. The PLAY employs living-off-the-land binaries (LOLBins) as part of its attacks, like the majority of contemporary ransomware. It employs Task Manager for Local Security Authority Server Service (LSASS) process dumping and credential cracking, as well as the remote tool WinSCP for data exfiltration.
  • Based on our observations throughout 2023, it has become clear that the Play Ransomware group primarily directs its attention towards organizations in the USA, constituting 40% of their primary targets.
  • We observed that Play ransomware is targeting Microsoft Exchange servers in its recent operations, through critical vulnerabilities (CVE-2022-41080 – CVSS 8.8 and CVE-2022-41082 – CVSS 8.8) which can lead to remote code execution and remote privilege escalation on the servers.

5. Vulnerabilities and Exploits

Vulnerability in DataEase

  • Attack Type: Vulnerabilities & Exploits
  • Target Technology: Data Visualization Analysis Tool
  • Vulnerability: CVE-2023-34463 (CVSS Base Score 8.1)
  • Vulnerability Type: Improper Access Control Summary:

DataEase could allow a remote authenticated attacker to bypass security restrictions, caused by improper authorization validation.

The vulnerability exists due to improper access restrictions in the application deletion interface.

A remote user can bypass implemented security restrictions and delete the application.

Affected Products: https[:]//github[.]com/dataease/dataease/security/advisories/GHSA- 4c4p-qfwq-85fj

Latest Cyber-Attacks, Incidents, and Breaches

Fort Worth, Texas Experiences Issues Due to Cyber Attack

  • Threat Actors: SiegedSec
  • Attack Type: Web Attack
  • Objective: Operational disruption, Data Leak
  • Target Technology: Web Application
  • Target Geographies: The United States of America
  • Target Industries: Government
  • Business Impact: Operational Disruption and Data Loss

We have recently witnessed hackers successfully infiltrating a municipal website in Fort Worth, Texas, specifically designed to handle maintenance orders for various departments, such as transportation, public works, parks, and property management. The data that was leaked comprises various attachments, including photographs, spreadsheets, invoices documenting completed work, staff emails, PDF documents, and other relevant materials. The data leak encompasses an approximate size of 180GB in total. The attack has been attributed by officials to a threat actor group identified as SiegedSec. The data has been leaked by the group on their telegram channel SiegedSec. The threat actor is a self-proclaimed “hacktivist” group that emerged in February 2022. The group seems to be driven by the sheer enjoyment of the experience and the desire to gain recognition, by publicly ridiculing organizations that have inadequate information security measures in place. Evidently, the threat actors have acquired login details to infiltrate the website. Among the potential techniques employed are credential stuffing (testing stolen credentials or databases), phishing (sending deceptive links or attachments), password spraying (attempting common passwords), keylogging (recording keystrokes), or brute force (a method of systematically guessing passwords through trial and error).

Source: Telegram channel

The threat actor demonstrates a high level of proficiency in web attacks, as evidenced by their recent targeting of the Cauca government and the Colombian police’s website. Their capabilities are destructive in web attacks, indicating their ability to compromise websites and consistently leak substantial portions of database files.

Data Leaks

SignifyCRM’s Data Advertised in Leak Site

  • Attack Type: Data Leak
  • Target Industry: Information Technology
  • Target Geography: Thailand
  • Target Technology: SQL Database
  • Objective: Data Theft, Financial Gain
  • Business Impact: Data Loss, Reputational Damage

CYFIRMA Research team observed a potential data leak related to SignifyCRM, {www[.]signifycrm[.]com}. SignifyCRM is a comprehensive Software-as-a-Service (SaaS) that users will find easy to use and can greatly improve sales and customer service operations. It has earned the trust of numerous client organizations that include industry leaders. The compromised data comprises various sensitive information, such as user IDs, first names, last names, usernames, emails, passwords, mobile phone numbers, office phone numbers, and other confidential details. The total size of the compromised data amounts to approximately 1.7 gigabytes (GB).

Source: Underground forums

Financially driven cybercriminals are perpetually seeking out exposed and susceptible systems and applications, leveraging opportunistic tactics. Most of these attackers frequent underground forums, engaging in discussions and illicit transactions involving stolen digital assets. In contrast to ransomware or extortion groups, who often publicize their attacks, these individuals prefer to operate discreetly. By exploiting unpatched systems or vulnerabilities in applications, they infiltrate and pilfer valuable data.
Subsequently, this stolen data is advertised, resold, and repurposed by other attackers in their own malicious endeavors.

Other Observations

CYFIRMA Research team observed a potential data leak related to Hyperface, (www[.]hyperface[.]co). Hyperface is a modern transaction credit platform founded in 2021 and headquartered in India. The exposed data encompasses a wide range of sensitive and confidential information, stored in SQL format, with a cumulative size of 3.5 GB.

Source: Underground forums


  • Attack Surface Management should be adopted by organizations, ensuring that a continuous closed-loop process is created between attack surface monitoring and security testing.
  • Deploy a unified threat management strategy – including malware detection, deep learning neural networks, and anti-exploit technology – combined with vulnerability and risk mitigation processes.
  • Incorporate Digital Risk Protection (DRP) in the overall security posture that acts as a proactive defence against external threats targeting unsuspecting customers.
  • Implement a holistic security strategy that includes controls for attack surface reduction, effective patch management, active network monitoring, through next generation security solutions and ready to go incident response plan.
  • Create risk-based vulnerability management with deep knowledge about each asset. Assign a triaged risk score based on the type of vulnerability and criticality of the asset to help ensure that the most severe and dangerous vulnerabilities are dealt with first.


  • Take advantage of global Cyber Intelligence providing valuable insights on threat actor activity, detection, and mitigation techniques.
  • Proactively monitor the effectiveness of risk-based information security strategy, the security controls applied and the proper implementation of security technologies, followed by corrective actions remediations, and lessons learned.
  • Move beyond the traditional model of security awareness towards improved simulation and training exercises that mimic real attack scenarios, account for behaviours that lead to a compromised, and are measured against real attacks the organization receives.
  • Consider implementing Network Traffic Analysis (NTA) and Network Detection and Response (NDR) security systems to compensate for the shortcoming of EDR and SIEM solutions.
  • Detection processes are tested to ensure awareness of anomalous events. Timely communication of anomalies and continuously evolved to keep up with refined ransomware threats.


  • Patch software/applications as soon as updates are available. Where feasible, automated remediation should be deployed since vulnerabilities are one of the top attack vectors.
  • Consider using security automation to speed up threat detection, improve incident response, increase the visibility of security metrics, and rapid execution of security checklists.
  • Build and undertake safeguarding measures by monitoring/ blocking the IOCs and strengthen defences based on tactical intelligence provided.
  • Deploy detection technologies that are behavioural anomaly-based to detect ransomware attacks and help to take appropriate measures.
  • Implement a combination of security control such as reCAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart), Device fingerprinting, IP backlisting, Rate-limiting, and Account lockout to thwart automated brute-force attacks.
  • Ensure email and web content filtering uses real-time blocklists, reputation services, and other similar mechanisms to avoid accepting content from known and potentially malicious sources.
This site is registered on wpml.org as a development site. Switch to a production site key to remove this banner.