Weekly Intelligence Report – 18 Oct 2024

Published On : 2024-10-18

Ransomware of the Week

CYFIRMA Research and Advisory Team would like to highlight ransomware trends and insights gathered while monitoring various forums. This includes multiple – industries, geography, and technology – which could be relevant to your organization.

Type: Ransomware
Target Technologies: MS Windows

Introduction
CYFIRMA Research and Advisory Team has found Defi Ransomware while monitoring various underground forums as part of our Threat Discovery Process.

Defi Ransomware.
Researchers recently identified Defi, a ransomware variant from the Makop family. This variant encrypts a victim’s data and subsequently demands a ransom payment in exchange for the decryption key.

Defi demonstrated its malicious capabilities by encrypting files and altering their filenames. The original file names were modified to include a unique identifier assigned to the victim, the attackers’ email address, and a new file extension of “.defi1328.” (It’s important to note that the number in the extension may differ).

After completing the encryption process, ransomware alters the victim’s desktop wallpaper to display a warning message. Additionally, it drops a ransom note in a text file named “+README-WARNING+.txt,” providing further instructions on how victims can recover their files by paying the demanded ransom.

Screenshot of files encrypted by this ransomware (Source: SurfaceWeb)

The ransom note from Defi informs victims that their data has been encrypted but reassures them that the file structure remains intact. To recover their files, victims must pay a ransom, although they are offered the opportunity to test the decryption process on a limited number of files, subject to specific conditions.

The message cautions victims against modifying the encrypted files or using antivirus software and third-party recovery tools, as these actions may lead to permanent data loss.

Appearance of Defi ransomware’s text file “+README-WARNING+.txt” (GIF) (Source: Surface Web)

Screenshot of Defi’s desktop wallpaper: (Source: Surface Web)

Following are the TTPs based on the MITRE Attack Framework.

Sr. No	Tactics	Techniques/Sub-Techniques
1	TA0002: Execution	T1059.003: Command and Scripting Interpreter: Windows Command Shell
		T1106: Native API
		T1129: Shared Modules
2	TA0003: Persistence	T1574.002: Hijack Execution Flow: DLL Side- Loading
3	TA0004: Privilege Escalation	T1574.002: Hijack Execution Flow: DLL Side- Loading
4	TA0005: Defense Evasion	T1027.005: Obfuscated Files or Information: Indicator Removal from Tools
		T1027.005: Obfuscated Files or Information: Indicator Removal from Tools
		T1036: Masquerading
		T1070.004: Indicator Removal: File Deletion
		T1222: File and Directory Permissions Modification
		T1497: Virtualization/Sandbox Evasion
		T1548: Abuse Elevation Control Mechanism
		T1564.003: Hide Artifacts: Hidden Window
		T1574.002: Hijack Execution Flow: DLL Side- Loading
5	TA0007: Discovery	T1012: Query Registry
		T1057: Process Discovery
		T1082: System Information Discovery
		T1083: File and Directory Discovery
		T1087: Account Discovery
		T1135: Network Share Discovery
		T1518.001: Software Discovery: Security Software Discovery
		T1614: System Location Discovery
6	TA0009: Collection	T1115: Clipboard Data
7	TA0011: Command and Control	T1071: Application Layer Protocol
		T1105: Ingress Tool Transfer
8	TA0040: Impact	T1486: Data Encrypted for Impact

Relevancy and Insights:

• This ransomware specifically targets the widely used Windows Operating System, which is prevalent across numerous industries and organizations.
• The ransomware’s attempt to delete Volume Shadow Copies (VSS) indicates a deliberate effort to hinder data recovery options for victims.
• The ransomware is making calls to the Windows Management Instrumentation (WMI) framework. WMI is a powerful tool used by many legitimate applications and services, but it can also be exploited by malware to execute commands, collect information, or perform system modifications.

ETLM Assessment:
According to the assessment from CYFIRMA, Makop ransomware has been targeting industries including software, IT, finance, and others globally. This new variant is anticipated to concentrate on these sectors due to their lucrative financial opportunities. Cybercriminals will likely exploit these industries’ vulnerabilities to disrupt operations, steal sensitive data, and demand substantial ransoms. This situation highlights the critical need for enhanced defensive measures to protect these high- value sectors from potential ransomware attacks.

SIGMA Rule:
title: Delete shadow copy via WMIC status: experimental
threatname: behaviorgroup: 18
classification: 0 mitreattack:
logsource:
category: process_creation product: windows
detection: selection:
CommandLine:
– ‘*wmic*shadowcopy delete*’ condition: selection
level: critical
(Source: Surface web)

Indicators of Compromise
Kindly refer to the IOCs section to exercise controls on your security systems.

STRATEGIC RECOMMENDATIONS

• Implement competent security protocols and encryption, authentication, or access credentials configurations to access critical systems in your cloud and local environments.
• Ensure that backups of critical systems are maintained which can be used to restore data in case a need arises.

MANAGEMENT RECOMMENDATIONS

• A data breach prevention plan must be developed considering, (a) the type of data being managed by the company; (b) the remediation process; (c) where and how the data is stored; (d) if there is an obligation to notify the local authority.
• Enable zero-trust architecture and multifactor authentication (MFA) to mitigate the compromise of credentials.
• Foster a culture of cybersecurity, where you encourage and invest in employee training so that security is an integral part of your organization.

TACTICAL RECOMMENDATIONS

• Update all applications/software regularly with the latest versions and security patches alike.
• Add the Sigma rules for threat detection and monitoring which will help to detect anomalies in log events, identify and monitor suspicious activities.
• Build and undertake safeguarding measures by monitoring/ blocking the IOCs and strengthening defence based on the tactical intelligence provided.

Trending Malware of the Week

Type: Remote Access Trojan
Objective: Espionage, Data theft, Remote Access Target Technology: Windows OS

Active Malware of the Week
This week “DarkVision RAT” is trending.

DarkVision RAT
Researchers have uncovered a new malware campaign distributing DarkVision RAT, a highly customizable remote access trojan (RAT) that emerged in 2020. Offered for as little as $60 on Hack Forums, DarkVision RAT has gained traction among low-skilled cybercriminals due to its affordability and extensive feature set. Written in C/C++ and assembly, this RAT provides a range of capabilities, including keylogging, screenshot capture, file manipulation, process injection, remote code execution, and password theft.

In this latest campaign, the RAT is deployed using PureCrypter as a loader. DarkVision RAT establishes communication with its command-and-control (C2) server through a custom network protocol using sockets. Notably, the RAT incorporates various evasion and privilege escalation techniques, such as DLL hijacking, auto-elevation, and process injection. Its wide array of commands and plugins allows for enhanced functionality, including audio recording and screen captures, making it a versatile tool for cybercriminals.

Infection chain
The infection chain for DarkVision RAT involves a multi-stage process that begins with the execution of a .NET executable. The following outlines the infection chain of DarkVision RAT:

Fig: An example attack chain distributing DarkVision RAT as the payload in the final stage.

Technical Analysis

First stage: Shellcode decryption in DarkVision RAT attack
The initial stage of the attack chain begins with a .NET executable file, protected by .NET Reactor. Upon execution, this file first runs a command that introduces a 10-second delay (`cmd /c timeout 10`). Following this brief pause, it transitions to decrypting the second- stage shellcode using Triple Data Encryption Standard (3DES). The decryption process involves Base64-encoded key and initialization vector (IV) strings: `xwmyVxHV39B5ns41HJtzRQ==` for the key and `SzD5abWvrRk=` for the IV. The executable decodes these strings into their original binary form, which are then used in the 3DES algorithm to decrypt the shellcode. The decrypted shellcode is subsequently allocated to a block of memory and made executable through the VirtualAlloc and VirtualProtect APIs. Finally, the .NET executable employs the EnumCalendarInfo API’s callback function to execute the shellcode, advancing to the second stage of the attack.

Second stage: Donut loader
The decrypted second stage shellcode is identified as the open-source Donut loader, which is x86 position-independent and specifically designed to load .NET assemblies directly into memory. The Donut Loader employs the Chaskey block cipher to encrypt its modules. To extract the third stage payload, researchers utilized the Donut Decryptor tool.

Third stage

Loading DarkVision RAT with PureCrypter
The third stage of the attack chain involves a .NET assembly identified as PureCrypter. The primary function of the PureCrypter injector begins by decompressing (gunzip) and deserializing an object into a Protocol Buffers (protobuf) structure. A critical component of this structure is the member named `gr2pwD82LI`, which contains an element called `Uoepndv4TW`. This element holds the encrypted portable executable (PE) content of the DarkVision RAT payload, secured using the Advanced Encryption Standard (AES) in Cipher Block Chaining (CBC) mode. Additionally, the protobuf structure includes another member named `IUQ99bXImZ`, which specifies the startup settings for DarkVision RAT.

Windows Defender exclusion and persistence tactics in PureCrypter
To further its malicious capabilities, PureCrypter employs a Base64-encoded PowerShell command that, once decoded, instructs PowerShell to add malicious file paths and process names associated with the RAT to Windows Defender’s exclusion list. This tactic is demonstrated by the PowerShell commands used to add exclusions for DarkVision RAT. Moreover, PureCrypter ensures the persistence of DarkVision RAT by writing the current file to `%APPDATA%\Sighul.exe` and configuring the Auto-run registry key `HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run` to maintain persistence with the name set to Sighul. Following this setup, the decrypted DarkVision RAT file is injected into the current process, and execution is directed to the entry point of DarkVision RAT, thereby advancing to the fourth stage of the attack.

Fourth stage: Persistence and C&C protocol
DarkVision RAT begins its operation by dynamically resolving APIs through the use of
`GetProcAddress` and `LoadLibrary`. To evade userland hooks that may be placed by antivirus and endpoint detection and response (EDR) software, the RAT reloads these libraries each time using `LoadLibrary`. The API names utilized by the malware are stored in an XOR-encoded format, which is decoded with the XOR key `[19 72 19 72]`.

Additionally, DarkVision RAT employs XOR encoding to store important strings. Following these initial steps, the RAT proceeds to parse the command-line arguments.

Command-line parsing in DarkVision RAT
After decoding the necessary strings, DarkVision RAT begins to analyze any command-line arguments, which are represented as Globally Unique Identifiers (GUIDs). These GUIDs are utilized as identifiers in various contexts, including registry keys, folder names, and file names. Notably, different samples of DarkVision RAT exhibit varying GUIDs, demonstrating a level of randomness that complicates the creation of detection logic. Two examples of GUIDs and their associated actions in this sample are as follows:

• {B8B1DC5F-E2FC-41FF-A2D1-DB3800909230}: Under the condition that the user is not a local administrator and the Windows version is 10 or higher, DarkVision RAT attempts to escalate privileges through DLL hijacking. It specifically targets the legitimate Windows process `WinSAT.exe` and the dynamic link library file `DXGI.DLL` to facilitate auto-elevation.
• {14C43BB8-A5DF-4F5D-A77A-E8BB32DEE41F}: In this scenario, where the user is a local administrator and the Windows version is 10 or higher, DarkVision RAT adds an exclusion rule to Windows Defender to evade detection. This is accomplished by executing the command `cmd.exe /c powershell.exe Add-MpPreference – ExclusionPath`, instructing Windows Defender to ignore the RAT’s file path.

Adding DarkVision RAT data to the Windows registry
DarkVision RAT establishes a presence on infected systems by creating a registry key at HKEY_CURRENT_USER\SOFTWARE, where it stores three critical values, each identified by a hardcoded GUID. The first value contains the RAT file content, which is utilized by specific command opcodes (0x2BD and 0x2BE) to facilitate writing the RAT file to disk. The second value indicates the RAT file path, which is subject to deletion based on a designated flag aimed at removing artifacts left by the malware. Lastly, the third value records the current system time in a FILETIME structure, which is included in a FINGERPRINT_INFO1 structure sent to the command-and-control (C2) server. This registry manipulation plays a vital role in the RAT’s functionality and stealth, enabling it to operate effectively within compromised systems.

Persistence mechanisms leveraged by DarkVision RAT
DarkVision RAT utilizes three distinct methods to maintain persistence on infected systems, employing hardcoded flags that determine which technique will be activated. This flexibility suggests that attackers can configure these options when creating a DarkVision RAT sample. The first method involves placing a batch script in the Windows startup folder. This script contains a command to execute the RAT executable, ensuring it runs each time the system starts. The second method leverages autorun keys, where DarkVision RAT adds an entry in Software\Microsoft\Windows\CurrentVersion\Run, allowing it to launch automatically based on user or system-level settings. The final method involves utilizing the ITaskService COM interface to schedule a task for executing the malware.

After establishing these persistence mechanisms, DarkVision RAT verifies its execution location, specifically checking for its presence in %APPDATA%\photos\System.exe. If it is not found there, the RAT copies itself to this designated path to ensure it runs consistently from a known location. Additionally, the RAT creates a folder in C:\ProgramData, referred to as the plugin parent folder to store encrypted plugins necessary for its operations.

Process injection techniques employed by DarkVision RAT
DarkVision RAT employs the NtCreateSection and NtMapViewOfSection APIs to facilitate process injection, a critical component for executing various RAT functionalities. The malware initiates a remote process in a suspended state and subsequently creates a new memory section. It maps one view of this section to the local process and another to the target remote process. In the local process, the RAT populates the mapped view with the function it intends to execute. This process is then repeated to fill the corresponding structure in the remote process’s mapped view. To prepare for execution, DarkVision RAT modifies the thread context of the remote process by setting the Instruction Pointer (RIP/EIP) to the function’s address and configuring the first parameter (RCX/ESP+4) to point to the address of the populated structure. Finally, the RAT resumes the thread, triggering the execution of the desired function.

DarkVision RAT communication protocol
Upon execution, DarkVision RAT establishes a connection with its Command and Control (C2) server to receive instructions and transmit information. The communication is conducted through a custom binary protocol, with the C2 address parsed in one of two ways depending on specific flags: either by retrieving the address from a URL using WinHTTP libraries or by using hardcoded C2 information embedded in the binary, such as
`severdops.ddns[.]net:8120`.

Registration
The initial action taken by DarkVision RAT is to register itself with the C2 server by sending a unique Bot ID. This ID is generated by creating a random GUID and appending an MD5 hash of the string “P@55w0rd!”, which is stored in plain text within the RAT’s code and varies among samples.
Receiving the acknowledgment (ACK) packet

After sending the Bot ID, the RAT awaits a response from the C2 server, which sends an acknowledgment packet (ACK) in the form of `{ 01 00 00 00 }`. If the received data matches the expected value, the RAT continues its operation by sending another packet, `{ 00 00 00 00 }`, which is also acknowledged by the server.

Device fingerprinting
Following the registration process, DarkVision RAT performs device fingerprinting to collect system information. This information is transmitted in two packets, each preceded by the size of the structure being sent. The server acknowledges receipt of each structure with ACK packets, confirming successful communication. After sending its unique Bot ID through a newly created socket, the RAT engages in a series of ACK exchanges with the server, establishing a stable connection before waiting for further commands from the C2 server.

Commands supported by DarkVision RAT
DarkVision RAT stores its commands as an array of 12 elements, each represented by a structure called COMMAND_STRUCT, sized at 0x28. This structure includes the command’s opcode, function address, and related data. When the opcode matches the data received from the C2 server, the RAT executes the corresponding function by creating a new thread, enabling it to carry out the intended action.

Fig: Commands implemented by DarkVision RAT.

Plugins available in DarkVision RAT
DarkVision RAT relies heavily on plugins for its functionality. These plugins are stored in encrypted form on disk and in the registry but remain in plain text while in memory. When a plugin is loaded, it runs using ordinal 0x65 via a new thread. This thread uses a structure that carries critical details about the plugin, ensuring the RAT can properly execute its intended tasks.

Fig: Plugins loaded by DarkVision RAT.

INSIGHTS

• DarkVision RAT is a sophisticated malware used by cybercriminals to maintain persistence, perform surveillance, and execute commands on compromised systems. It’s part of an evolving campaign where attackers utilize customized tactics to ensure they have control over infected machines. The RAT employs various methods to establish itself, including creating batch scripts and leveraging autorun keys to automatically launch when the system starts. This flexibility in persistence mechanisms indicates a focus on long-term infiltration, which could pose a significant risk to organizations that may remain unaware of the infection for extended periods.
• The communication between DarkVision RAT and its command-and-control (C2) server highlights its adaptability. It uses custom protocols to send and receive data from its operators, ensuring that it can relay system information, respond to commands, and carry out instructions such as collecting device fingerprints or deploying additional malware. The RAT’s capability to inject code into processes and manipulate system memory further enhances its effectiveness in avoiding detection while maintaining control over the infected device.
• DarkVision RAT’s modular nature, relying on encrypted plugins, enables it to carry out a wide range of tasks beyond just surveillance or basic system control. These plugins remain encrypted on the disk, ensuring that the RAT’s functionality is concealed from traditional security tools. As attackers continue to refine their tactics, this campaign could spread into broader regions, targeting industries where sensitive data is at risk, potentially leading to serious data breaches and disruptions.

ETLM ASSESSMENT
From the ETLM perspective, CYFIRMA anticipates that DarkVision RAT is poised to become a serious threat to organizations as attackers continually enhance its capabilities. Its ability to remain hidden through encryption and advanced persistence techniques could allow it to target critical systems, leading to prolonged unauthorized access. As it evolves, the malware is likely to extend its reach, impacting organizations across broader regions as cybercriminals refine its features. This could result in more sophisticated and persistent attacks, making detection increasingly difficult. In response, organizations may need to invest in more advanced threat intelligence and detection systems to keep pace with its growing complexity and potential for multi- stage attacks.

IOCs:
Kindly refer to the IOCs Section to exercise controls on your security systems.

STRATEGIC RECOMMENDATIONS

• Maintain an up-to-date inventory of all active software used within the organization and perform regular self-audit of workstations, servers, laptops, mobile devices to identify unauthorized/ restricted software.
• Deploy a unified threat management strategy – including malware detection, deep learning neural networks, and anti-exploit technology – combined with vulnerability and risk mitigation processes.
• Configure organization’s intrusion detection systems (IDS), intrusion prevention systems (IPS), or any network defence mechanisms in place to alert on — and upon review, consider blocking connection attempts to and from — the external IP addresses and domains listed in the appendix.

MANAGEMENT RECOMMENDATIONS

• Implement real-time website monitoring to analyze network traffic going in and out of the website to detect malicious behaviours.
• Ensure compromised systems are disconnected from the network and powered down as soon as possible.
• Move beyond the traditional model of security awareness towards Improved Simulation and training exercises that mimic real attack scenarios, account for behaviors that lead to a compromise, and are measured against real attacks the organization receives.

TACTICAL RECOMMENDATIONS

• Build and undertake safeguarding measures by monitoring/ blocking the IOCs and strengthening defence based on the tactical intelligence provided.
• Enable Network traffic/security monitoring, security incident detection, notification, and alerting by leveraging SIEM solutions.

Weekly Intelligence Trends/Advisory

1. Weekly Attack Type and Trends

Key Intelligence Signals:

• Attack Type: Ransomware Attacks, Vulnerabilities & Exploits, Data Leaks.
• Objective: Unauthorized Access, Data Theft, Data Encryption, Financial Gains, Espionage.
• Business Impact: Data Loss, Financial Loss, Reputational Damage, Loss of Intellectual Property, Operational Disruption.
• Ransomware –Sarcoma Ransomware, Underground Ransomware | Malware – DarkVision RAT
• Sarcoma Ransomware – One of the ransomware groups.
• Underground Ransomware – One of the ransomware groups.
• Please refer to the trending malware advisory for details on the following:
• Malware – DarkVision RAT
• Behaviour –Most of these malwares use phishing and social engineering techniques as their initial attack vectors. Apart from these techniques, exploitation of vulnerabilities, defense evasion, and persistence tactics are being observed.

2. Threat Actor in Focus

Earth Simnavaz (APT34) Launches Sophisticated Cyberattacks on UAE and Gulf States

• Threat actor: APT34
• Initial Attack Vector: Vulnerability Exploitation
• Objective: Espionage
• Target Technology: Microsoft Exchange servers and Windows
• Target Geographies: UAE, Middle East and Gulf region
• Target Industries: Government
• Business Impact: Operational Disruption, Financial Losses and Data Compromise.

Summary:
Earth Simnavaz, also known as APT34 or OilRig, is a cyber espionage group linked to Iranian interests, actively targeting governmental entities in the UAE and the broader Gulf region. The group employs sophisticated tactics, including backdoor deployment via Microsoft Exchange servers, credential theft, and exploitation of vulnerabilities such as CVE-2024-30088 for privilege escalation. Their operations involve customized .NET tools, PowerShell scripts, and the use of legitimate remote monitoring tools like ngrok to maintain persistence and evade detection. Recent activities suggest a focus on key infrastructure and the establishment of footholds for future attacks, leveraging compromised accounts for phishing and supply chain attacks. Earth Simnavaz’s methods include deploying web shells for initial access, exfiltrating sensitive data through email via compromised Exchange servers, and employing malicious password filters for credential harvesting. The group’s persistent threat emphasizes the need for intelligence-driven incident response and the implementation of robust security measures, such as Zero Trust architecture, to defend against these evolving attacks.

Relevancy & Insights:
Earth Simnavaz has a history of cyber espionage activities characterized by sophisticated attacks targeting governmental and critical infrastructure entities, particularly in the Gulf region. Previous incidents often involved the exploitation of Microsoft Exchange servers for credential theft, utilizing backdoors and web shells to gain persistent access to networks. For example, earlier campaigns included phishing techniques and the deployment of tools that facilitated lateral movement within compromised environments.

The current incident closely correlates with these past attacks, notably through the use of CVE-2024-30088 for privilege escalation, allowing the group to deepen their foothold within targeted systems. The deployment of customized .NET tools and PowerShell scripts mirrors their earlier methodologies, reinforcing their strategic focus on credential harvesting and data exfiltration. This consistency in tactics highlights the group’s adaptive nature while maintaining their primary objective of espionage.

By analyzing these, it becomes evident that Earth Simnavaz may continue to refine its techniques while pursuing sensitive information from key governmental and infrastructural targets in the region, highlighting the persistent threat they pose.

ETLM Assessment:
This espionage group linked to Iranian interests, primarily targets governmental entities in the UAE and the broader Gulf region. Their operations focus on critical industries, especially the energy sector and essential infrastructure, where they exploit a range of technologies, most notably Microsoft Exchange servers for credential theft and data exfiltration.

Recently, they have targeted vulnerabilities like CVE-2024-30088, enabling privilege escalation and facilitating deeper network access. Their current toolkit includes customized .NET applications, PowerShell scripts, and advanced backdoors, while earlier methods involved web shells and the Karkoff backdoor.

The threat landscape reveals a growing trend of state-sponsored cyberattacks, with Earth Simnavaz adapting its tactics to evade detection and leverage legitimate tools like ngrok for command-and-control operations. Looking ahead, the group is expected to further refine its techniques and exploit new vulnerabilities, posing an ongoing risk to national security. Organizations in the region must implement proactive security measures, including Zero Trust frameworks and robust incident response strategies, to effectively mitigate these evolving threats.

Recommendations:

• Strengthen Exchange Server Security: Organizations should enforce strict security protocols for Microsoft Exchange servers, including multi-factor authentication (MFA) for all accounts and regular audits of access logs to detect unauthorized activities.
• Implement Robust Patch Management: Develop a proactive patch management strategy to address vulnerabilities like CVE-2024-30088 promptly. Ensure that systems are continuously monitored for newly disclosed vulnerabilities and that patches are applied without delay.
• Enhance Detection of Web Shells: Deploy tools specifically designed to identify and eliminate web shells on IIS servers. Regularly scan for unauthorized files and analyze HTTP request patterns to uncover potential compromises.
• Monitor Credential Use: Implement solutions to monitor the use of compromised credentials, particularly in administrative accounts. Establish alerts for any unusual access or privilege escalation attempts.
• Utilize Advanced Threat Detection: Invest in advanced detection technologies capable of identifying tunneling tools like ngrok, which can indicate unauthorized remote access or data exfiltration attempts.
• Adopt User Behavior Analytics: Employ user and entity behavior analytics (UEBA) to detect anomalies in user activity, especially concerning sensitive data access and credential usage, which may indicate a breach.
• Conduct Incident Response Drills: Regularly simulate incidents specifically involving tactics employed by Earth Simnavaz, such as credential harvesting and exploitation of Exchange vulnerabilities, to ensure readiness and improve response capabilities.

MITRE ATT&CK Tactics and Techniques
Tactics	ID	Technique
Execution	T1129	Shared Modules
Persistence	T1574.002	Hijack Execution Flow: DLL Side-Loading
Defense Evasion	T1027.005	Obfuscated Files or Information: Indicator Removal from Tools
Defense Evasion	T1218.011	System Binary Proxy Execution: Rundll32
Defense Evasion	T1497	Virtualization/Sandbox Evasion
Discovery	T1082	System Information Discovery
Discovery	T1083	File and Directory Discovery
Discovery	T1518.001	Software Discovery: Security Software Discovery
Discovery	T1614	System Location Discovery
Command	T1071	Application Layer Protocol and Control

IOCs:
Kindly refer to the IOCs (Indicators of Compromise) Section to exercise controls on your security systems.

3. Major Geopolitical Developments in Cybersecurity

Biggest US water management company sustains a cyber breach
The largest water and wastewater utility in the U.S., American Water, revealed that it experienced a cyberattack in early October. As a result, the company had to disconnect or deactivate certain systems. In a statement, the company explained: “Upon discovering the issue, our team immediately activated incident response protocols and enlisted third-party cybersecurity experts to help contain, mitigate, and investigate the nature and scope of the attack. We have also notified law enforcement and are working closely with them”.

As part of its response, American Water has temporarily taken its MyWater customer portal offline. Serving over 14 million customers in 14 states, the company assured the public that drinking water remains safe, and that it currently believes that none of its water or wastewater facilities or operations have been negatively affected by this incident.

ETLM Assessment:
As we have noted in an earlier report, the U.S. water system is facing significant challenges from aging facilities, increasing demand, and emerging cyber threats. As cyberattacks on water utilities escalate – particularly from state actors like Russia or Iran – the vulnerabilities of these systems become more apparent, and their increasing reliance on digital systems make them susceptible to cyber intrusions, elevating the risk of service disruptions, public health scares, and economic damage.

Drinking water and wastewater systems are an attractive target for cyberattacks because they are a lifeline to critical infrastructure sectors, but often lack the resources and technical capacity to adopt rigorous cybersecurity practices.

This winter, a Russian military-affiliated hacking group infiltrated a Texas water- treatment plant, causing a system malfunction that forced a water tank to overflow and escalating concerns about the network security of similar U.S. facilities. The breach occurred at a water facility in Muleshoe near the New Mexico border and is the first known case perpetrated by Russia (joining Iran and China on the list of countries linked to similar incidents this year). Researchers are pointing towards “Sandworm“, a hacking operation tied to Russia’s military intelligence directorate (GRU). Drinking water in the municipalities nearby was not affected, but there were related hacking attempts reported in other Texas towns.

Moreover, there were further similar Russian-originated activities tracked by researchers also tied to water system compromises in a French dam and Polish water utilities. Russia has been using these attacks as a tool of signaling in the international arena and is likely to double down on them in all NATO countries. In June, Russian hackers targeted a wastewater treatment plant in Indiana, prompting plant managers to send maintenance personnel to investigate the suspicious activity.

Russia is not the only country that has sponsored attacks on the US water system: as the conflict in the Middle East heats up, Iranian actors are expanding their geographic scope to include attacks on Albania, Bahrain and the USA.

The US military highlights the pivotal role of non-kinetic effects and defense against such effects in future conflicts. The potential for massive cyberattacks by advanced state actors like Russia, China or Iran looms large, threatening to disrupt critical infrastructure or the internet-powered amenities that underpin modern life. U.S. documents emphasize that cyber warfare extends far beyond networks and cybersecurity issues, yet neither governments nor businesses are adequately prepared to confront this emerging threat.

4. Rise in Malware/Ransomware and Phishing

The Sarcoma Ransomware impacts Nexus-Shinozaki

• Attack Type: Ransomware
• Target Industry: Transport & Logistics
• Target Geography: Japan
• Ransomware: Sarcoma Ransomware
• Objective: Data Theft, Data Encryption, Financial Gains
• Business Impact: Financial Loss, Data Loss, Reputational Damage

Summary:
From the External Threat Landscape Management (ETLM) Perspective, CYFIRMA observed in an underground forum that a company from Japan; Nexus-Shinozaki (www[.]nexus-shinozaki[.]co[.]jp), was compromised by the Sarcoma Ransomware. Nexus-Shinozaki Transport & Logistics, part of the Shinozaki Group, is a Japanese company specializing in logistics services, offering solutions across various sectors. Their services include regional and international transportation, warehouse management, and supply chain solutions. The company operates through its fleet and a network of subcontractors, ensuring delivery across Japan and globally. The compromised data includes confidential and sensitive information belonging to the organization. The total size of the compromised data is approximately 1.3 GB.

The following screenshot was observed published on the dark web:

Source: Dark Web

Relevancy & Insights:

• In the week of October 9 to October 15, 2024, Sarcoma ransomware claimed 20% of all reported ransomware victims, solidifying its position as one of the most active ransomware groups currently operating.
• Sarcoma ransomware first appeared in late 2023 and quickly established itself as a formidable adversary in the ransomware landscape. Its sophisticated approach and rapid victimization have drawn attention.
• The Sarcoma ransomware group employs a double extortion model, encrypting victims’ data while also exfiltrating sensitive information to leverage for ransom payments. For instance, Sarcoma threatened to publish stolen data within days if ransoms were not paid, showcasing their aggressive extortion tactics.
• The Sarcoma Ransomware group primarily targets countries like The United States of America, Spain, Australia, Canada, and the United Kingdom.
• The Sarcoma Ransomware group primarily targets industries, such as Specialized Consumer Services, Industrial Goods & Services, Publishing, Legal Services, and Steel.
• Based on the Sarcoma Ransomware victims list from 1 Jan 2024 to 16th October 2024, the top 5 Target Countries are as follows:
  
• The Top 10 Industries, most affected by Sarcoma Ransomware from 1st 16th October 2024 are as follows:
  

ETLM Assessment:
Based on recent assessments by CYFIRMA, Sarcoma ransomware is rapidly becoming a significant threat due to its aggressive tactics and increasing victim count. Organizations must remain vigilant and proactive in their cybersecurity efforts to mitigate risks associated with this evolving threat landscape.

The Underground Ransomware Impacts the Casio Computer Co., Ltd

• Attack Type: Ransomware
• Target Industry: Electronics Manufacturing
• Target Geography: Japan
• Ransomware: Underground Ransomware
• Objective: Data Theft, Data Encryption, Financial Gains
• Business Impact: Financial Loss, Data Loss, Reputational Damage

Summary: From the External Threat Landscape Management (ETLM) Perspective, CYFIRMA observed in an underground forum that a company from Japan; Casio Computer Co., Ltd(www[.]world[.]casio[.]com), was compromised by Underground Ransomware.

Casio Computer Co., Ltd. is a Japanese multinational electronics manufacturing corporation. Its products include calculators, mobile phones, digital cameras, electronic musical instruments, and analogue and digital watches. The compromised data includes confidential documents, legal files, personal information of employees, non-disclosure agreements (NDAs), payroll details, patent information, financial records of the company, project-related documents, and incident reports. The total size of the compromised data is approximately 204.9 GB.

The following screenshot was observed published on the dark web:

Source: Dark Web

Relevancy & Insights:

• Underground ransomware first appeared in July 2023 and is believed to be linked to the Russian cybercrime group RomCom (Storm-0978). This group is known for conducting opportunistic ransomware attacks and credential-gathering campaigns.
• The Underground ransomware group exploits vulnerabilities such as CVE-2023-36884, a remote code execution flaw in Microsoft Office, as an infection vector. Once inside a system, they modify registry settings to maintain access and halt critical services like MS SQL Server to facilitate data theft.
• Underground ransomware employs a double extortion model, encrypting files while also exfiltrating sensitive information. They threaten to publish stolen data if ransoms are not paid, increasing pressure on victims.
• The Underground Ransomware group primarily targets countries like the United States of America, Germany, Japan, Singapore, and South Korea.
• The Underground Ransomware group primarily targets industries, such as Business Services, Manufacturing, Technology, Heavy Construction, and Retail.
• Based on the Underground Ransomware victims list from 1st Jan 2024 to 16th October 2024, the top 5 Target Countries are as follows:
  
• The Top 10 Industries, most affected by Underground Ransomware from 1st Jan 2024 to 16 th October 2024 are as follows:
  

ETLM Assessment:
Based on recent assessments by CYFIRMA, the recent activities of Underground ransomware, particularly the high-profile attack on Casio, highlight the growing threat posed by this group. Organizations are urged to enhance their cybersecurity measures, including regular updates, employee training on phishing awareness, and robust incident response strategies to mitigate risks associated with ransomware attacks.

5. Vulnerabilities and Exploits

Vulnerability in AADMY – Add Auto Date Month Year into Posts plugin for WordPress

• Attack Type: Vulnerabilities & Exploits
• Target Technology: Modules and components for CMS
• Vulnerability: CVE-2024-9837
• CVSS Base Score: 7.3
• Vulnerability Type: Improper input validation

Summary:
The vulnerability allows a remote attacker to compromise the target system.

Relevancy & Insights:
The vulnerability exists due to the affected software allowing to execute an action that does not properly validate a value before running do_shortcode.

Impact:
A remote attacker can execute arbitrary shortcodes.

Affected Products:
plugins/auto-date-year-month/aadmy-add-auto-date-month-year-into-posts-201- unauthenticated-arbitrary-shortcode-execution

Recommendations:
Monitoring and Detection: Implement monitoring and detection mechanisms to identify unusual system behavior that might indicate an attempted exploitation of this vulnerability.

TOP 5 AFFECTED PRODUCTS OF THE WEEK
This week, CYFIRMA researchers have observed significant impacts on various technologies, due to a range of vulnerabilities. The following are the top 5 most affected technologies.

ETLM Assessment:
Vulnerability in the AADMY Plugin for WordPress can pose significant threats to user privacy and security. This can impact various industries globally, including technology, finance, healthcare, and beyond. Ensuring the security of the AADMY Plugin is crucial for maintaining the integrity and protection of users’ data worldwide. Therefore, addressing these vulnerabilities is essential to safeguarding dynamic content creation and user interactions on WordPress sites, including elements like date, time, and user information, across different geographic regions and sectors.

6. Latest Cyber-Attacks, Incidents, and Breaches

RansomHouse Ransomware attacked and published the data of the Fursan Travel

• Threat Actors: RansomHouse Ransomware
• Attack Type: Ransomware
• Objective: Data Leak, Financial Gains
• Target Technology: Web Applications
• Target Industry: Travel and Tourism
• Target Geography: Saudi Arabia
• Business Impact: Operational Disruption, Data Loss, Financial Loss, Potential Reputational Damage

Summary:
Recently, we observed that the RansomHouse Ransomware attacked and published data of Fursan Travel (www[.]fursan[.]com[.]sa) on its dark web website. Fursan Travel is a leading travel agency in Saudi Arabia. It specializes in providing a variety of travel services, catering to both individual travelers and corporate clients, including local and multinational companies, as well as government institutions. The company offers cost- effective and customized travel solutions based on client needs, ensuring high-quality services through its extensive industry knowledge and technology. The data leak, following the ransomware attack, encompasses sensitive and confidential information related to the organization. The total volume of compromised data is approximately 2.3 TB.

Source: Dark Web

Relevancy & Insights:

• RansomHouse is a ransomware-as-a-service (RaaS) operation that emerged in December 2021 and is using double extortion tactics.
• The RansomHouse Ransomware group primarily targets large enterprises and high- value organizations, employing tactics such as phishing and spear-phishing emails to gain initial access. They also utilize third-party frameworks like Vatet Loader, Metasploit, and Cobalt Strike.

ETLM Assessment:
Based on the available information, CYFIRMA’s assessment indicates that RansomHouse remains a significant player in the ransomware landscape, utilizing unique tactics. Organizations must remain vigilant and proactive in their cybersecurity efforts to protect against such evolving threats.

7. Data Leaks

Cisco Data Advertised on a Leak Site

• Attack Type: Data Leak
• Target Industry: Government
• Target Geography: Indonesia
• Objective: Data Theft, Financial Gains
• Business Impact: Data Loss, Reputational Damage

Summary:
In a recent post on a dark web forum, a notorious threat actor claimed responsibility for breaching a significant Indonesian government database. The individual, operating under the alias “@303,” announced that they had successfully obtained the database and provided a sample of the compromised data.

A sample of the exposed data was also included in the post, featuring various sensitive fields such as user login information, passwords, email addresses, and account statuses. Specifically, the leaked data contained details like:
User login credentials
Passwords (likely hashed)
User email addresses
Account registration dates
Activation keys and status

Source: Underground Forums

KintApp Data Advertised on a Leak Site

• Attack Type: Data Leak
• Target Geography: Thailand
• Target Industry: Software Development and Technology Solutions
• Objective: Data Theft, Financial Gains
• Business Impact: Data Loss, Reputational Damage

Summary:
A threat actor has claimed responsibility for a significant data breach targeting KintApp, a communication platform widely used by organizations in Thailand. According to a post made on a dark web forum, the breach compromised sensitive information from over 2,500 organizations, including prominent institutions such as the Thailand Constitutional Court, the Royal Thai Police Cadet Academy, and the Thailand Defense College.

The threat actor alleged that the stolen data includes users’ personal details such as identification numbers, email addresses, first and last names, and mobile phone numbers. While the authenticity of these claims has not yet been independently verified, the poster provided a sample of the stolen data to substantiate the breach. KintApp, designed to facilitate communication for businesses, is popular among both private and public sector entities across Thailand.

Source: Underground Forums

Relevancy & Insights:
Financially motivated cybercriminals are continuously scouring for exposed and vulnerable systems and applications to exploit. A significant number of these malicious actors congregate within underground forums, where they discuss cybercrime and trade stolen digital assets. Operating discreetly, these opportunistic attackers target unpatched systems or vulnerabilities in applications to illicitly gain access and steal valuable data. Subsequently, the pilfered data is advertised for sale within underground markets, where it can be acquired, repurposed, and utilized by other malicious actors in further illicit activities.

ETLM Assessment:
Threat Actor “303” is driven primarily by financial motives, frequently targeting a broad spectrum of industries, such as healthcare, finance, manufacturing, and critical infrastructure. This actor poses a significant risk in the cybersecurity landscape, employing advanced techniques to facilitate data breaches and achieve financial gains through the exploitation of sensitive information. To defend against this evolving threat, organizations must maintain heightened awareness and adopt proactive cybersecurity measures.

Recommendations: Enhance the cybersecurity posture by

• Updating all software products to their latest versions is essential to mitigate the risk of vulnerabilities being exploited.
• Ensure proper database configuration to mitigate the risk of database-related attacks.
• Establish robust password management policies, incorporating multi-factor authentication and role-based access, to fortify credential security and prevent unauthorized access.

8. Other Observations

In a recent development, Smart Buy, a UAE-based e-commerce platform, has reportedly suffered a data breach, exposing sensitive information of approximately 8,500 users. The breach, which allegedly occurred in October 2024, was disclosed by threat actors known as @IntelBroker and @EnergyWeaponUser, who shared the compromised data on a dark web forum.

The breached data includes user email addresses, transaction dates, currencies, and information related to specific online stores. A sample of the compromised data has been provided as proof of the breach.

Source: Underground forums

Threat Actor Claims Breach of Rivoli Group AE. The Rivoli Group is synonymous with luxury lifestyle retail. It has established a wide footprint, serving its customers across the UAE, Oman, Qatar, and Bahrain offering a diverse portfolio of over 100 prestigious international brands and an unmatched retail experience. Rivoli encompasses a wide spectrum of premium things such as watches, eyewear, jewelry, leather accessories, and writing instruments.

The incident allegedly affected 44,000 users. Threat Actors compromised data, including order statuses, dates, countries, and email addresses. The data breach has been attributed to a threat actor identified as “IntelBroker”.

Source: Underground forums

ETLM Assessment:
The “IntelBroker” threat actor group has become active in underground forums and has emerged as a formidable force in cybercrime mainly for financial gains. The threat actor has already targeted Government, Industrial Conglomerates, Retail, Staffing, Business consulting, Banks, E-Commerce, Electric & Utilities industries, indicating its intention to expand its attack surface in the future to other industries globally.

STRATEGIC RECOMMENDATIONS

• Attack Surface Management should be adopted by organizations, ensuring that a continuous closed-loop process is created between attack surface monitoring and security testing.
• Deploy a unified threat management strategy – including malware detection, deep learning neural networks, and anti-exploit technology – combined with vulnerability and risk mitigation processes.
• Incorporate Digital Risk Protection (DRP) in the overall security posture that acts as a proactive defence against external threats targeting unsuspecting customers.
• Implement a holistic security strategy that includes controls for attack surface reduction, effective patch management, active network monitoring, through next generation security solutions and ready to go incident response plan.
• Create risk-based vulnerability management with deep knowledge about each asset. Assign a triaged risk score based on the type of vulnerability and criticality of the asset to help ensure that the most severe and dangerous vulnerabilities are dealt with first.

MANAGEMENT RECOMMENDATIONS

• Take advantage of global Cyber Intelligence providing valuable insights on threat actor activity, detection, and mitigation techniques.
• Proactively monitor the effectiveness of risk-based information security strategy, the security controls applied and the proper implementation of security technologies, followed by corrective actions remediations, and lessons learned.
• Move beyond the traditional model of security awareness towards improved simulation and training exercises that mimic real attack scenarios, account for behaviours that lead to a compromised and are measured against real attacks the organization receives.
• Consider implementing Network Traffic Analysis (NTA) and Network Detection and Response (NDR) security systems to compensate for the shortcoming of EDR and SIEM solutions.
• Detection processes are tested to ensure awareness of anomalous events. Timely communication of anomalies and continuously evolved to keep up with refined ransomware threats.

TACTICAL RECOMMENDATIONS

• Patch software/applications as soon as updates are available. Where feasible, automated remediation should be deployed since vulnerabilities are one of the top attack vectors.
• Build and undertake safeguarding measures by monitoring/ blocking the IOCs and strengthen defences based on tactical intelligence provided
• Deploy detection technologies that are behavioural anomaly-based to detect ransomware attacks and help to take appropriate measures.
• Implement a combination of security control such as reCAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart), Device fingerprinting, IP backlisting, Rate-limiting, and Account lockout to thwart automated brute-force attacks.
• Ensure email and web content filtering uses real-time blocklists, reputation services, and other similar mechanisms to avoid accepting content from known and potentially malicious sources.

Situational Awareness – Cyber News

Please find the Geography-Wise and Industry-Wise breakup of cyber news for the last 5 days as part of the situational awareness pillar.

Geography-Wise Graph

Industry-Wise Graph

For situational awareness intelligence and specific insights mapped to your organisation’s geography, industry, technology, please access DeCYFIR.