Weekly Intelligence Report – 17 May 2024

Ransomware of the Week

CYFIRMA Research and Advisory Team would like to highlight ransomware trends and insights gathered while monitoring various forums. This includes multiple – industries, geography, and technology – which could be relevant to your organization.

Type: Ransomware
Target Technologies: MS Windows

Introduction
CYFIRMA Research and Advisory Team has found EnigmaWave ransomware while monitoring various underground forums as part of our Threat Discovery Process.

EnigmaWave ransomware
Researchers uncovered EnigmaWave ransomware at the beginning of May 2024, the ransomware program encrypts data to make it inaccessible and demands payment for its decryption.

The ransomware appends encrypted file names with the attackers’ email address, a unique victim ID, and the “.EnigmaWave” extension. Additionally, EnigmaWave creates a ransom- demanding message titled “Readme.txt”.

Screenshot of files encrypted by ransomware (Source: Surface Web)

Screenshot of EnigmaWave ransomware’s text file (“Readme.txt”): (Source: Surface Web)

EnigmaWave’s ransom note notifies victims of their network’s infection and the encryption of their files, accompanied by the removal of backups and Volume Shadow Copies. The attackers claim exclusive ability to restore the locked files, suggesting ransom payment in Bitcoin cryptocurrency. Victims are offered a test decryption on two random files before committing to payment. Additionally, the note cautions against file deletion, system shutdown, or reset, as these actions may jeopardize data decryption.

Following are the TTPs based on the MITRE Attack Framework

Relevancy and Insights:

• This ransomware specifically targets the widely used Windows Operating System, which is prevalent across numerous industries and organizations.
• The Ransomware places itself in “HKEY_LOCAL_MACHINE\ SOFTWARE \Microsoft\Windows NT\CurrentVersion\Image File Execution Options\” to manipulate the execution behaviour of the image. This registry key allows the ransomware to achieve persistence, silently execute alongside or instead of legitimate images, and maintain control over compromised systems, evading detection.
• Ransomware deletes Volume Shadow Copies, making data recovery more challenging for victims.
• Detect-Debug-Environment: Debugging environments are used by developers to analyze and troubleshoot software. This technique is used by the ransomware to determine whether it is operating in a debug environment. This feature aids the ransomware in avoiding analysis and detection attempts.

ETLM Assessment:
CYFIRMA’s assessment, based on available information, suggests that EnigmaWave ransomware will persist in targeting various industries worldwide, exploiting vulnerabilities in Windows Operating Systems. Future versions may intensify evasion strategies, utilizing registry manipulation for persistence and evading detection through sophisticated anti-debugging methods. Global industries must fortify cybersecurity measures to counter potential threats.

Sigma Rule
title: Suspicious Run Key from Download tags:
– attack.persistence
– attack.t1547.001 logsource:
category: registry_event product: windows
detection: selection:
Image|contains:
– ‘\Downloads\’
– ‘\Temporary Internet Files\Content.Outlook\’
– ‘\Local Settings\Temporary Internet Files\’
TargetObject|contains: ‘\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\’ condition: selection
falsepositives:
– Software installers downloaded and used by users level: high

(Source: Surface web)

STRATEGIC RECOMMENDATIONS

• Implement competent security protocols and encryption, authentication, or access credentials configurations to access critical systems in your cloud and local environments.
• Ensure that backups of critical systems are maintained which can be used to restore data in case a need arises.

MANAGEMENT RECOMMENDATIONS

• A data breach prevention plan must be developed considering, (a) the type of data being managed by the company; (b) the remediation process; (c) where and how the data is stored; (d) if there is an obligation to notify the local authority.
• Enable zero-trust architecture and multifactor authentication (MFA) to mitigate the compromise of credentials.
• Foster a culture of cybersecurity, where you encourage and invest in employee training so that security is an integral part of your organization.

TACTICAL RECOMMENDATIONS

• Update all applications/software regularly with the latest versions and security patches alike.
• Add the Sigma rules for threat detection and monitoring which will help to detect anomalies in log events, identify and monitor suspicious activities.

Trending Malware of the Week

Type: Information Stealer
Objective: Data theft
Target Industry: Gaming
Target Technology: Windows OS, Browsers, Cryptocurrencies, Software (Steam, osu!, Roblox, Growtopia, and Discord)

Active Malware of the Week
This week “zEus Stealer” is trending.

zEus Stealer
The zEus malware is a type of malicious software categorized as a stealer, designed specifically to extract sensitive information from devices. This includes logging credentials for various accounts. Researchers discovered the zEus stealer malware within a source pack shared on YouTube and embedded in a Minecraft source pack, disguised as a WinRAR self-extract file. This file masquerades as a Windows screensaver file and initiates the stealer while displaying an image with the label “zEus,” which is also referenced in the Discord webhook profile used for receiving stolen data.

Fig: The string on the icon of the inserted file

Attack Method
The zEus stealer, once executed by a victim, first checks for any analysis tools to evade detection. If undetected, it proceeds to gather sensitive information and deploys script files to enhance its attack capabilities. The malware creates folders within C:\ProgramData to store both stolen data and its own malicious scripts.

Anti-analysis
zEus conducts checks to determine if it is under analysis by comparing the computer’s name and active processes against predefined blacklists.

Computer name blacklist:
WDAGUtilityAccount, Abby, Peter, Wilson, hmarc, patex, JOHN-PC, RDhJ0CNFevzX, kEecfMwgj, Frank, 8Nl0ColNQ5bq, Lisa, John, george, PxmdUOpVyx, 8VizSM, w0fjuOVmCcP5A, lmVwjj9b, PqONjHVwexsS, 3u2v9m8, Julia, HEUeRzl, BEE7370C- 8C0C-4, DESKTOP-NAKFFMT, WIN-5E07COS9ALR, B30F0242-1C6A-4, DESKTOP- VRSQLAG, Q9IATRKPRH, XC64ZB, DESKTOP-D019GDM, DESKTOP-WI8CLET, SERVER1, LISA-PC, JOHN-PC, DESKTOP-B0T93D6, DESKTOP-1PYKP29, DESKTOP-1Y2433R, WILEYPC, WORK, 6C4E733F-C2D9-4, RALPHS-PC, DESKTOP-WG3MYJS, DESKTOP-7XC6GEZ, DESKTOP-5OV9S0O, QarZhrdBpj, ORELEEPC, ARCHIBALDPC, JULIA-PC, d1bnJkfVlH, QDAVNJRH

Program blacklist:
httpdebuggerui, wireshark, fiddler, vboxservice, df5serv, processhacker, vboxtray, vmtoolsd, vmwaretray, ida64, ollydbg, pestudio, vmwareuser, vgauthservice, vmacthlp, x96dbg, vmsrvc, x32dbg, vmusrvc, prl_cc, prl_tools, xenservice, qemu-ga, joeboxcontrol, ksdumperclient, ksdumper, joeboxserver
Information Stealing

The zEus stealer collects a diverse array of information, saving each piece into separate text files within specific folders located at C:\ProgramData\STEALER. These folders include PCINFO, IPINFO, HARDWARE, BROWSERS, STEAL, LDB, and SESSION, organizing the
stolen data accordingly.

PCINFO
In a specified folder, zEus maintains two subfolders: IPINFO and HARDWARE. To obtain the victim’s IP address and related details, zEus utilizes online services like My External IP, ipapi, and ip-api, storing outcomes as text files in the IPINFO directory. Using this IP address, zEus requests more information from these tools, including the internet service provider, city, longitude, latitude, and postal code. Furthermore, zEus captures whether the victim employs a proxy server or a mobile network. Additionally, using command-line utilities and PowerShell, zEus collects hardware data, including active processes, OS version, product key, hardware ID, system configuration, installed programs, and WIFI passwords, saving this information in the HARDWARE folder.

BROWSERS
zEus retrieves login data and user preferences from specific browsers, including Chrome, Opera, Brave, Vivaldi, Edge, and Firefox. It copies files related to login data and encryption keys for a password (if needed) from the browser’s profile directories and stores them in designated folders. The stolen information includes cookies, browsing history, shortcuts, and bookmarks from these targeted browsers.

STEAL
In this folder, zEus stores login data obtained from software including Steam, osu!, Roblox, Growtopia, and Discord. This data is typically copied from each software’s data path.

Additionally, zEus searches for a file named discord_backup_codes.txt in the Downloads folder. This file contains backup codes used for multi-factor authentication (MFA) on Discord, which zEus attempts to retrieve from the default download location.

LDB
The “LDB” folder exclusively contains .ldb files copied from %appdata%\discord\Local Storage\leveldb. These files enable the attacker to extract Discord tokens containing account and password details, which can be used to log into the victim’s Discord account.

SESSION
zEus copies diverse data to the SESSION folder from specific paths, gathering credentials and victim information. It retrieves logs folders from the parent directory of EpicGamesLauncher, containing debug logs. It also copies parent folders related to game companies like Battle.net and Electronic Arts. This data helps the attacker learn about the victim’s gaming preferences and provides insights for disguising future malware attacks.

After collecting data, the zEus stealer drops two files, KEYWORDSEARCHER.bat and Keyword.txt, into the STEALER folder. KEYWORDSEARCHER.bat is a batch file that assists users in searching for specific keywords within a folder, while Keyword.txt serves as its README file. Subsequently, the STEALER folder is compressed into a zip file named STEALER.zip and then deleted. However, it’s important to note that the KEYWORDSEARCHER.bat and Keyword.txt files are not utilized by the zEus stealer itself.

zEus organizes the stolen data and sends it as an attachment named STEALER.zip. This report confirms whether the expected items were successfully stolen and includes the following details:

• Execution Date
• Username
• Computer Name
• Processor
• Anti-virus Software
• Clipboard content
• Installed XBOX games.
• Cryptocurrencies
• Sensitive Files

The zEus stealer checks if the victim uses specific cryptocurrencies, including Zcash, Armory, Bytecoin, Jaxx, Exodus, Ethereum, AtomicWallet, Guarda, and Coinomi.

Additionally, zEus searches the Downloads folder for files containing specific keywords related to login mechanisms and sensitive information. These keywords include terms like 2fa, mdp, motdepasse, mot_de_passe, login, seed, key, data, db, password, secret account, acount, paypal, banque, metamask, wallet, code, exodus, memo, compte, token, backup, and recovery. These keywords cover aspects of two-factor authentication (2FA), password recovery, and various terms related to banking and account security, including French language equivalents.

Features in Dropped Files
In addition to stealing information, the script files dropped to C:\ProgramData\{ComputerName} perform the following features:

Three script files, debugerkiller.bat, Screen.bat, and RAT.bat, are executed immediately upon dropping and ensure persistence by registering their paths under HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run. They use the names of Windows system files and folders as value names to evade suspicion. zEus stealer includes various functionalities through dropped script files:

• Kill Task Manager: Utilizes debugerkiller.bat to obscure its execution and terminate Task Manager, ensuring screen lock functionality. This script is set to auto-run for continuous operation.
• Send Screenshot: Uses Screen.bat to send a screenshot to a webhook every five seconds. This script runs automatically at startup to monitor the victim’s computer continuously.
• Screen Lock: zEus stealer drops SYSTEMLOCK.bat and configSYSLOCK.vbs for screen locking. configSYSLOCK.vbs launches SYSTEMLOCK.bat, which displays a message advising the victim not to restart the computer and closes explorer.exe to restrict Windows interaction. SYSTEMLOCK.bat continuously executes bsod.hta, a full- screen blank window. Task Manager access is blocked by debugkiller.bat, thwarting common program termination methods. These scripts can be activated via C2 communication.
• Chat Box: Includes CHATBOX.bat to allow the victim to send up to five sentences to the attacker. This functionality can be triggered through command and control (C2) communication.
• C2 Communication: Employs RAT.bat for C2 communication. RAT.bat downloads command-line instructions from onlinecontroler[.]000webhostapp[.]com to COMMANDS.txt, executes them, and logs results to HISTORY.txt. Executed instructions are sent to the attacker’s webhook. RAT.bat runs on startup for continuous computer control.

INSIGHTS

• The integration of malware like zEus into gaming-related downloads highlights a concerning trend within gaming communities. Game developers often allow players to customize game features through user-created packages, increasing enjoyment and replayability. However, this practice also creates opportunities for attackers to distribute malware. In the case of zEus stealer, it was embedded into a source pack shared on YouTube and disguised within a Minecraft source pack as a WinRAR self- extracting archive masquerading as a Windows screensaver file.
• The zEus stealer follows a straightforward attack flow, gathering extensive and critical information such as login credentials, cryptocurrency details, and system configurations. This highlights the serious threat posed by malware distributed through seemingly harmless source packs, emphasizing the risks associated with downloading and using files from unfamiliar sources. Even innocuous-looking downloads can serve as carriers for dangerous malware, underscoring the importance of cautious behavior online.
• zEus Stealer integrates multiple functionalities through script files to execute various malicious actions. These include terminating Task Manager to enforce screen locking, continuously sending screenshots to a webhook for monitoring, implementing screen- locking mechanisms to restrict user interaction, enabling limited communication through a chat box, and establishing command and control (C2) communication for remote control and data logging. These scripts operate discreetly and persistently, highlighting the complex and potentially harmful capabilities of such malware.

ETLM ASSESSMENT
From the ETLM perspective, CYFIRMA anticipates that the growing trend of using game add-ons and source packs to enhance gaming experiences presents an ongoing challenge for users and organizations alike. As more individuals engage in gaming and game development activities, the risk of encountering malware like zEus continues to rise. Future iterations of zEus could introduce new features and methodologies, making detection and mitigation more challenging for cybersecurity professionals. This continuous evolution of zEus malware may expand its scope and effectiveness, potentially infiltrating systems more deeply and evading traditional security measures. Additionally, the data collected by zEus poses a persistent risk, as it could be leveraged for secondary infections or targeted attacks. Organizations must anticipate these potential developments and enhance their cybersecurity posture with proactive monitoring, threat intelligence, and response strategies.

IOCs:
Kindly refer to the IOCs Section to exercise controls on your security systems.

STRATEGIC RECOMMENDATIONS

• Deploy an Extended Detection and Response (XDR) solution as part of the organization’s layered security strategy that provides detection/prevention for malware and malicious activities that do not rely on signature-based detection methods.
• Maintain an up-to-date inventory of all active software used within the organization and perform regular self-audit of workstations, servers, laptops, mobile devices to identify unauthorized/ restricted software.
• Configure organization’s intrusion detection systems (IDS), intrusion prevention systems (IPS), or any network defence mechanisms in place to alert on — and upon review, consider blocking connection attempts to and from — the external IP addresses and domains.

MANAGEMENT RECOMMENDATIONS

• Security Awareness training should be mandated for all company employees. The training should ensure that employees:
• Avoid downloading and executing files from unverified sources.
• Avoid free versions of paid software.
• Move beyond the traditional model of security awareness towards Improved Simulation and training exercises that mimic real attack scenarios, account for behaviors that lead to a compromise, and are measured against real attacks the organization receives.
• Incorporate a written software policy that educates employees on good practices in relation to software and potential implications of downloading and using restricted software.

TACTICAL RECOMMENDATIONS

• Build and undertake safeguarding measures by monitoring/ blocking the IOCs and strengthening defence based on the tactical intelligence provided.
• Evaluate the security and reputation of each piece of open-source software or utilities before usage.
• Enforce policies to validate third-party software before installation.
• Use multi-factor authentication (MFA) to mitigate credential theft and prevent attacker access.

Weekly Intelligence Trends/Advisory

1. Weekly Attack Type and Trends

Key Intelligence Signals:

• Attack Type: Malware Implant, Phishing, Ransomware Attacks, Vulnerabilities & Exploits, Data Leaks.
• Objective: Unauthorized Access, Data Theft, Data Encryption, Financial Gains, Espionage.
• Business Impact: Data Loss, Financial Loss, Reputational Damage, Loss of Intellectual Property, Operational Disruption.
• Ransomware – Lockbit3 Ransomware, RansomHub Ransomware | Malware –zEus Stealer
• Lockbit3 Ransomware – One of the ransomware groups.
• RansomHub Ransomware – One of the ransomware groups.
• Please refer to the trending malware advisory for details on the following:
• Malware – zEus Stealer
• Behaviour –Most of these malwares use phishing and social engineering techniques as their initial attack vectors. Apart from these techniques, exploitation of vulnerabilities, defence evasion, and persistence tactics are being observed.

2. Threat Actor in Focus

Persistent Cyber Intrusions: APT28’s Operations Against Global Institutions

• Threat Actors: APT28
• Attack Type: Phishing
• Objective: Espionage
• Target Technology: Windows
• Target Geographies: Poland
• Target Industries: Government
• Business Impact: Data Loss, Data exfiltration

Summary:
A sophisticated cyber-espionage campaign, attributed to APT28 and linked to the Russian GRU, has been actively targeting Polish government institutions. Techniques employed include DLL side-loading and executing scripts that further download and execute additional payloads.

Their operations exhibit a high level of technical proficiency and employ a diverse range of techniques and objectives. One key indicator of their activity is the use of spear-phishing emails, meticulously crafted to appear legitimate and personalized to their targets within government agencies. These emails often contain malicious links that lead to websites like run[.]mocky[.]io and webhook[.]site, which serve as initial entry points for malware delivery.

Once victims click on the links, they unwittingly initiate the download of a ZIP archive containing malware disguised as image files. This archive typically includes a Windows Calculator binary, masquerading as a JPG image file, alongside hidden batch script and DLL files. A notable aspect of APT28’s operations is their use of DLL side-loading, a technique that allows them to load a malicious DLL file while executing a legitimate application, thereby evading detection by security software. This enables APT28 to execute its malicious code surreptitiously, ultimately compromising the victim’s system. Furthermore, APT28 demonstrates a keen understanding of network evasion tactics, leveraging widely used services like run.mocky.io and webhook[.]site to obscure their malicious activities. By exploiting the trust associated with these legitimate platforms, APT28 reduces the likelihood of their malicious links being detected or blocked by security controls. Additionally, the group employs a multi-stage attack approach, incorporating social engineering tactics to maintain the illusion of legitimacy and deceive victims.

Relevancy & Insights:
Forest Blizzard, a threat group aligned with Russian foreign policy goals, has been actively engaged in espionage activities targeting government, energy, transportation, and non-governmental organizations across the United States, Europe, and the Middle East. Additionally, it has shown interest in media, IT, sports, and educational institutions globally. APT28, commonly associated with Russian interests, employs similar tactics, focusing on espionage and utilizing customized malware like GooseEgg and XAgent to infiltrate networks and gather sensitive information. Understanding the tactics and motives of APT28 is crucial for organizations globally to bolster their cybersecurity defences against such sophisticated threats.

ETLM Assessment:
APT28, a Russia-linked nation-state actor, has conducted a large-scale malware campaign targeting Polish government institutions, following accusations from NATO countries of its involvement in a long-term cyber espionage campaign against political entities and critical infrastructure. Known for using tailored malware, such as XAgent, which targets political and government entities in Western Europe, APT28 has a history of focusing on intelligence gathering to support Russian foreign policy goals. With past activities targeting a wide range of industries globally, including government, energy, transportation, media, IT, sports, and education, APT28’s sophisticated tactics and tailored malware pose a continued and evolving threat to organizations worldwide.

Recommendations:

• Organizations should strengthen their cybersecurity posture by implementing robust network security measures, such as firewalls, intrusion detection systems, and endpoint protection solutions, to detect and prevent unauthorized access by threat actors like APT28.
• Conduct regular security audits and assessments to identify vulnerabilities within the network infrastructure and promptly address any weaknesses that could be exploited by malicious actors.
• Provide comprehensive cybersecurity training to employees to increase awareness of phishing emails and social engineering tactics employed by threat actors like APT28. Employees should be educated on how to identify and report suspicious activities promptly.
• Maintain up-to-date software and security patches to mitigate known vulnerabilities that threat actors may exploit to gain unauthorized access to networks.
• Participate in threat intelligence sharing initiatives and collaborate with industry peers, government agencies, and cybersecurity organizations to stay informed about emerging threats and APT28’s tactics, techniques, and procedures (TTPs).

IOCs:
Kindly refer to the IOCs (Indicators of Compromise) Section to exercise controls on your security systems.

4. Rise in Malware/Ransomware and Phishing

The LockBit3 Ransomware impacts the Grand Indonesia

• Attack Type: Ransomware
• Target Industry: Hospitality
• Target Geography: Indonesia
• Ransomware: Lockbit3 Ransomware
• Objective: Data Theft, Data Encryption, Financial Gains
• Business Impact: Financial Loss, Data Loss, Reputational Damage

Summary:
From the External Threat Landscape Management (ETLM) Perspective, CYFIRMA observed in an underground forum that a company from Indonesia; (www[.]grand- indonesia[.]com), was compromised by the LockBit3 Ransomware. Grand Indonesia is an integrated multipurpose complex at Thamrin Road in Central Jakarta, Indonesia. The 640,000 m² complex consists of a huge shopping mall, office tower Menara BCA, high-end serviced residential tower Kempinski Residences, and the five-star all-suite Hotel Indonesia Kempinski. It is located near the Selamat Datang Monument. The data that has been compromised has not yet surfaced on the leak site, suggesting ongoing negotiations between the affected party and the ransomware group. The compromised data encompasses sensitive and confidential information pertinent to the organization.

The following screenshot was observed published on the dark web:

Source: Dark Web

Relevancy & Insights:

Based on the Lockbit3 Ransomware victims list from 1st Jan 2023 to 15 May 2024, the top 5 Target Countries are as follows:

The Top 10 Industries, most affected by Lockbit3 Ransomware from 1 Jan 2023 to 15 May 2024 are as follows:

ETLM Assessment:
CYFIRMA’s assessment underscores the persistent and widespread threat posed by LockBit 3.0 Ransomware to companies worldwide. Our observations reveal an escalating pattern, wherein LockBit 3.0 Ransomware exploits vulnerabilities in diverse products to infiltrate systems, facilitating lateral movement within organizational networks. Based on the available information, CYFIRMA’s assessment indicates that LockBit 3.0 Ransomware will continue to target various industries globally, with a significant emphasis on the United States, Europe, and Asian regions. The recent breach targeting Grand Indonesia, a leading hospitality firm based in Indonesia, serves as a potential indicator of LockBit 3.0 ransomware’s inclination towards targeting organizations across Southeast Asia.

The RansomHub Ransomware impacts the LPDB KUMKM LPDB.ID/LPDB.GO.ID

• Attack Type: Ransomware
• Target Industry: Government
• Target Geography: Indonesia
• Ransomware: RansomHub Ransomware
• Objective: Data Theft, Data Encryption, Financial Gains
• Business Impact: Financial Loss, Data Loss, Reputational Damage

Summary:
From the External Threat Landscape Management (ETLM) Perspective, CYFIRMA observed in an underground forum that a company from Indonesia; (www[.]lpdb[.]go[.]id), was compromised by the RansomHub Ransomware. LPDB KUMKM Kementerian Koperasi is an Indonesian government institution responsible for managing revolving funds for cooperatives and small and medium enterprises (SMEs). The main goal of LPDB KUMKM is to provide financial support and assistance to cooperatives and SMEs to help them grow and develop. This includes providing loans, grants, and other financial services to eligible organizations. The data that has been compromised has not yet surfaced on the leak site, suggesting ongoing negotiations between the affected party and the ransomware group. The compromised data includes more than 15TB of the organization’s private documents, backups, and NAS backups that were encrypted.

The following screenshot was observed published on the dark web:

Source: Dark Web

Relevancy & Insights:

• In February 2024, RansomHub posted its first victim, the Brazilian company YKP.
• RansomHub comprises hackers from various global locations united by a common goal of financial gains. The gang explicitly mentions prohibiting attacks on specific countries and non-profit organizations. The gang’s website states that they refrain from targeting CIS, Cuba, North Korea, and China. While they suggest a global hacker community, their operations notably resemble a traditional Russian ransomware setup.
• In February 2024, a UnitedHealth Group subsidiary faced IT system shutdowns due to a cyberattack by an ALPHV affiliate on Change Healthcare, a platform it uses. ALPHV operators dismantled their infrastructure post-attack, failing to pay the affiliate. Change Healthcare allegedly paid a $22 million ransom, only to be hit again by a new group, RansomHub, claiming to possess 4 terabytes of sensitive data. It’s suspected that the affiliate collaborated with RansomHub after ALPHV didn’t pay up, using previously stolen data for leverage. Change Healthcare’s removal from RansomHub’s DLS suggests possible negotiation with the threat actors as of April 20, 2024.
• RansomHub Ransomware group primarily targets countries such as the United States of America, Brazil, the United Kingdom, Slovakia, and Malaysia.
• RansomHub Ransomware group primarily targets industries, such as Computer Services, Heavy Construction, Renewable Energy Equipment, Restaurants & Bars, and Software.
• Based on the RansomHub Ransomware victims list from 1 2024, the top 5 Target Countries are as follows:
  
• The Top 10 Industries, most affected by RansomHub Ransomware from 1st Jan 2023 to 15 May 2024 are as follows:
  

ETLM Assessment:
The RansomHub group seems to be a recently emerged ransomware group, likely with roots in Russia. Due to the benefit it offers its affiliates and the strict controls it enforces, they could be vying for the leadership position amidst pressure from security forces to major players like LockBit and ALPHV. However, their ransomware strains appear to be just a revised version of an old sample for now. An interesting part is that this strain is also written in the Golang language. Based on CYFIRMA’s assessment, RansomHub Ransomware targets worldwide organizations. The attack on LPDB KUMKM LPDB.ID/LPDB.GO.ID also highlights ransomware groups’ interest in Southeast Asian organizations financially strong in the region with exploitable vulnerabilities.

5. Vulnerabilities and Exploits

Vulnerability in PowerDNS DNSdist

• Attack Type: Vulnerabilities & Exploits
• Target Technology: Server application
• Vulnerability: CVE-2024-25581 (CVSS Base Score 7.5)
• Vulnerability Type: Reachable Assertion

Summary:
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

Relevancy & Insights:
The vulnerability exists due to a reachable assertion when incoming DNS over HTTPS support is enabled using the nghttp2 provider, and queries are routed to a tcp-only or DNS over TLS backend.

Impact:
A remote attacker can send a specially crafted request for a zone transfer (AXFR or IXFR) over DNS over HTTPS and perform a denial of service (DoS) attack.

Affected Products: https[:]//dnsdist[.]org/security-advisories/powerdns-advisory-for-dnsdist- 2024-03.html

Recommendations:
Monitoring and Detection: Implement monitoring and detection mechanisms to identify unusual system behavior that might indicate an attempted exploitation of this vulnerability.

TOP 5 AFFECTED PRODUCTS OF THE WEEK
This week, CYFIRMA researchers have observed significant impacts on various technologies, due to a range of vulnerabilities. The following are the top 5 most affected technologies.

ETLM Assessment:
Vulnerabilities in DNSdist, a UNIX daemon for DNS proxy and load balancing, could disrupt services and compromise network integrity across industries like technology, finance, and healthcare worldwide, necessitating robust security measures and continuous monitoring. Its adaptability ensures efficient and resilient DNS services, catering to diverse geographic regions’ needs.

6. Latest Cyber-Attacks, Incidents, and Breaches

underground Ransomware attacked and Published data from Synology

• Threat Actors: underground Ransomware
• Attack Type: Ransomware
• Objective: Data Leak, Financial Gains
• Target Technology: Web Application
• Target Geographies: Germany, Taiwan
• Target Industry: Information Technology
• Business Impact: Operational Disruption, Data Loss, Financial Loss, Potential Reputational Damage

Summary:
Recently we observed that underground Ransomware attacked and Published data of Synology on its darkweb website. Synology Inc(www[.]synology[.]com). is a prominent technology company known for its expertise in network-attached storage (NAS) solutions. Founded in 2000 and headquartered in Taipei, Taiwan, Synology has a global presence with offices in Germany, the United States, the UK, France, Japan, and China. The company provides a range of products designed to help businesses and individuals manage, secure, and protect their data effectively. Synology’s product lineup includes high-performance NAS systems, storage solutions for virtualization environments, and comprehensive data management and protection tools. Their DiskStation Manager (DSM) is a widely acclaimed operating system that powers their NAS devices, offering features like multimedia management, file synchronization, data backup, and virtualization support. DSM is known for its user-friendly interface and robust security measures, making it suitable for both home users and enterprises. The data leak, following the ransomware attack, encompasses a broad spectrum of sensitive and confidential information pertinent to the organization. The data leak is approximately 51 GB in total size.

Source: Dark Web

Relevancy & Insights:
The Underground ransomware gang announced a massive operation recently. The hackers listed 11 victims on their leak website, along with a short summary of each. The amount of data leaked varies between 35 GB and 1.6 TB. We observed that the Underground Ransomware group uses the double-extortion practice to force the victims into paying the ransom. They always leave a ransom note behind, containing information about the type of data they stole and where they’ve exfiltrated it.

ETLM Assessment:
There are some conflicting reports and theories at play regarding Underground’s actual identity. One such theory claims that the gang is the successor of the infamous Industrial Spy ransomware that was active in 2022. This hasn’t been confirmed yet. Based on the available information, CYFIRMA’s assessment indicates that Underground ransomware will continue to target various industries globally, with a significant emphasis on the United States, European, and Asian regions. The recent breach targeting Synology, a leading informational technology firm based in Taiwan, serves as a potential indicator of Underground ransomware’s inclination towards targeting organizations across the East Asia region.

7. Data Leaks

Hunters Bali data advertised on a Leak Site

• Attack Type: Data Leak
• Target Industry: Food and Beverages
• Target Geography: Indonesia
• Objective: Data Theft, Financial Gains
• Business Impact: Data Loss, Reputational Damage

Summary:
The CYFIRMA Research team observed a potential data leak related to Hunters Bali,
{www[.]huntersbali[.]com } in an underground forum. Hunters Bali is a premium meat supplier in Bali offering high-quality, nutrient-dense animal products. animal products include grass-fed beef, free-range poultry, wild-caught seafood, and other premium meats sourced locally and from neighboring regions. The compromised data includes customer information such as name, username, last active date, sign-up date, email, orders, total spend, average order value (AOV), country, city, region, postal code, and other sensitive and confidential details. The data breach has been attributed to a threat actor identified as ‘Sedapmalam’.

Source: Underground Forums

PT Kreasi Putra Hotama Indonesia data advertised on a Leak Site

• Attack Type: Data Leak
• Target Industry: Business Services
• Target Geography: Indonesia
• Objective: Data Theft, Financial Gains
• Business Impact: Data Loss, Reputational Damage

Summary:
The CYFIRMA Research team observed a potential data leak related to PT Kreasi Putra Hotama Indonesia, {www[.]hotama[.]co[.]id } in an underground forum. PT Kreasi Putra Hotama Indonesia is a reputable software development and IT consulting company with over 10 years of experience. The compromised data includes email address, phone number, first name, last name, country, and zip code.

Source: Underground Forums

Relevancy & Insights:
Financially motivated cybercriminals are continuously scouring for exposed and vulnerable systems and applications to exploit. A significant number of these malicious actors congregate within underground forums, where they discuss cybercrime and trade stolen digital assets. Operating discreetly, these opportunistic attackers target unpatched systems or vulnerabilities in applications to illicitly gain access and steal valuable data. Subsequently, the pilfered data is advertised for sale within underground markets, where it can be acquired, repurposed, and utilized by other malicious actors in further illicit activities.

ETLM Assessment:
Based on CYFIRMA’s assessment, the financially motivated threat actor known as ‘Sedapmalam’ poses a significant risk to organizations, as they are known to target any institution and profit from selling sensitive data on the dark web or underground forums. The organizations targeted by ‘Sedapmalam’ typically have inadequate security measures in place, rendering them vulnerable to potential cyberattacks orchestrated by this threat actor.

Recommendations: Enhance the cybersecurity posture by

• Updating all software products to their latest versions is essential to mitigate the risk of vulnerabilities being exploited.
• Ensure proper database configuration to mitigate the risk of database-related attacks.
• Establish robust password management policies, incorporating multi-factor authentication and role-based access, to fortify credential security and prevent unauthorized access.

8. Other Observations

CYFIRMA Research team observed a potential data leak related to Localplace l(www[.]localplace[.]jp). The local place is the Japanese Online Reservation Agency. The compromised data includes client ID, company form, company name, full company information, phone number, full name, family name, email address, billing information, and other sensitive and confidential details.

Source: Underground forums

ETLM Assessment:
Satanic threat actor group has become active in underground forums and has emerged as a formidable force in cybercrime mainly for financial gains. The threat actor has already targeted Government, Industrial Conglomerates, Retail, Staffing, Business consulting, Banks, E-Commerce, Electric & Utilities industries, indicating its intention to expand its attack surface in the future to other industries globally.

STRATEGIC RECOMMENDATIONS

• Attack Surface Management should be adopted by organizations, ensuring that a continuous closed-loop process is created between attack surface monitoring and security testing.
• Deploy a unified threat management strategy – including malware detection, deep learning neural networks, and anti-exploit technology – combined with vulnerability and risk mitigation processes.
• Incorporate Digital Risk Protection (DRP) in the overall security posture that acts as a proactive defence against external threats targeting unsuspecting customers.
• Implement a holistic security strategy that includes controls for attack surface reduction, effective patch management, active network monitoring, through next generation security solutions and ready to go incident response plan.
• Create risk-based vulnerability management with deep knowledge about each asset. Assign a triaged risk score based on the type of vulnerability and criticality of the asset to help ensure that the most severe and dangerous vulnerabilities are dealt with first.

MANAGEMENT RECOMMENDATIONS

• Take advantage of global Cyber Intelligence providing valuable insights on threat actor activity, detection, and mitigation techniques.
• Proactively monitor the effectiveness of risk-based information security strategy, the security controls applied and the proper implementation of security technologies, followed by corrective actions remediations, and lessons learned.
• Move beyond the traditional model of security awareness towards improved simulation and training exercises that mimic real attack scenarios, account for behaviours that lead to a compromised, and are measured against real attacks the organization receives.
• Consider implementing Network Traffic Analysis (NTA) and Network Detection and Response (NDR) security systems to compensate for the shortcoming of EDR and SIEM solutions.
• Detection processes are tested to ensure awareness of anomalous events. Timely communication of anomalies and continuously evolved to keep up with refined ransomware threats.

TACTICAL RECOMMENDATIONS

• Patch software/applications as soon as updates are available. Where feasible, automated remediation should be deployed since vulnerabilities are one of the top attack vectors.
• Build and undertake safeguarding measures by monitoring/ blocking the IOCs and strengthen defences based on tactical intelligence provided.
• Deploy detection technologies that are behavioural anomaly-based to detect ransomware attacks and help to take appropriate measures.
• Implement a combination of security control such as reCAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart), Device fingerprinting, IP backlisting, Rate-limiting, and Account lockout to thwart automated brute-force attacks.
• Ensure email and web content filtering uses real-time blocklists, reputation services, and other similar mechanisms to avoid accepting content from known and potentially malicious sources.

Situational Awareness – Cyber News

Please find the Geography – Wise and Industry-Wise breakup of cyber news for the last 5 days as part of the situational awareness pillar.

Geography-Wise Graph

Industry-Wise Graph

For situational awareness intelligence and specific insights mapped to your organisation’s geography, industry, technology, please access DeCYFIR.