Weekly Intelligence Report – 04 Nov 2022

Weekly Intelligence Trends/Advisory

Key Intelligence Signals:

• Attack Type: Ransomware, Vulnerabilities & Exploits, Ransomware-as-a-Service (RaaS), Malware Implants, Data Exfiltration, Data Leak, Impersonations, Remote Code Execution (RCE), On-device Fraud, Rouge Mobile Apps, Telephone-Oriented Attack Delivery (TOAD), SMiSing, Malvertising
  • Objective: Unauthorized Access, Data Theft, Financial Gains, Payload Delivery, Potential Espionage
  • Business Impact: Data Loss, Financial Loss, Reputational Damage, Loss of Intellectual Property
• Ransomware – LockBit (LockBit 2.0, LockBit 3.0) | Malware – LODEINFO
  • LockBit – One of the ransomware groups.
  • Please refer to the trending malware advisory for details on the following:
  • Malware – LODEINFO
• Behavior – Most of these malwares use phishing and social engineering techniques as their initial attack vector. Apart from these techniques, exploitation of vulnerabilities, defence evasion, and persistence tactics are being observed.

Threat Actor in Focus

Attackers Use Stealthy Techniques to Implant Malware

Suspected Threat Actors: Potentially Cranefly

• Attack Type: Malware Implants
• Objective: Unauthorized Access, Payload Delivery, Potential Espionage
• Target Technology: Microsoft IIS
• Business Impact: Data Loss, Loss of Intellectual Property, Potential Financial Loss

Summary:
Researchers have discovered a hitherto undocumented dropper that attackers are using to install a new backdoor and other tools by employing the novel technique of reading commands from seemingly harmless IIS logs. According to Researcher’s threat actor group dubbed Cranefly is using the dropper (Trojan.Geppei) to install another previously undocumented malware (Trojan.Danfuan). Researchers note that the technique of reading commands from IIS logs is not something seen in real-world attacks. The analysis also reveals another dropper Hacktool.Regeorg is known malware that can create a SOCKS proxy. Based on the tools deployed, efforts taken by attackers to conceal their activity, and no data exfiltration observed, researchers suspect the most likely motivation is intelligence gathering.

Insights:
As per researchers the Hacktool.Regeorg has been leveraged by multiple APT threat actor groups in the past. Its code is publicly available on GitHub and lack of sufficient clues hindered attribution to any publicly tracked threat actor group.

Major Geopolitical Developments in Cybersecurity

US Raises Cyber Stakes in National Defense Strategy for 2022

The US has published its National Defense Strategy. The document highlights the threat posed by the usual suspects: China, Russia, North Korea, and Iran – which are familiar adversaries who are wielding notable offensive cyber capabilities. The document emphasizes deterrence through resilience in the cyber realm, which it suggests is possible to attain via a wide range of protective measures that include heavy implementation of encryption and a strong focus on the use of zero-trust principles. Deterrence by denial is also complemented by a strategy of deterrence by cost imposition, which could include offensive cyber operations, however, this is not further detailed in the report for obvious reasons. This position still represents a more assertive use of national power in cyberspace though and the document openly states that the US government “…will conduct cyberspace operations…to degrade competitors’ malicious cyber activity and to prepare cyber capabilities to be used in crisis or conflict.”

Parliaments in Poland and Slovakia Targeted by Cyber Attacks

The parliaments of both Poland and Slovakia sustained cyberattacks that knocked out various parliamentary networks, including those supporting both voting and telecommunications in Slovakia. In Poland, the Senate website was hit by a distributed denial-of-service (DDoS) attack that paralyzed the institution’s website. Polish sources blame the attacks on Russia, and it’s widely suspected that the attacks were staged by a Russian privateering group on behalf of the Kremlin in retaliation for Polish and Slovak support for Ukraine in the Russian war of aggression waged in the neighboring country.

Former UK Prime Minister Truss’s Phone Compromised

According to British media, Russian intelligence services are believed to have successfully compromised former British Prime Minister Liz Truss’s personal smartphone. The compromise is supposed to be dated to the time when Ms. Truss served as Foreign Minister. British Parliamentarians are now calling for an official investigation, which could reveal the attack vector and whether a zero-day compromise was involved, what information has the attacker in gable to extract, and the extent to which officials use personal devices to communicate about official business. In this manner, the case resembles former US Foreign Minister Hillary Clinton and her use of a private email server to store and send state data.

Rise in Malware/Ransomware and Phishing

Wilby Impacted by LockBit Ransomware

• Attack Type: RaaS, Data Exfiltration
• Target Industry: Construction
• Target Geography: Japan
• Ransomware: LockBit
• Objective: Financial Gains, Data Theft
• Business Impact: Data Loss, Reputational Damage

Summary:
From the External Threat Landscape Management (ETLM) Perspective, CYFIRMA observed Wilby Co., Ltd. (will-b.jp) – a Japanese construction organization specialized in developing logistics facilities such as distribution centers and warehouses, etc – being impacted by the LockBit ransomware group. The ransomware group claimed Wilby as one of their victims by disclosing the update on their dedicated leak site on 30th October. It is suspected that a large amount of business-critical and sensitive data has been exfiltrated. According to the information published on LockBit’s dedicated leak site, a deadline of 8th November has been provided to come to a ransom arrangement after which the exfiltrated data will get leaked publicly.

Insights:

• The LockBit ransomware group has recently released its LockBit 3.0 variant, and the operation also introduced a few tweaks to their dedicated leak site including introducing a bug bounty program. The dedicated leak site now also shows what seems to be the amount of ransom to be paid by the victim alongside the old countdown timer. As time goes by and the timer approaches zero, the amount of ransom also decreases for some of the victims, and if no ransom is paid the exfiltrated data is leaked. The group has also introduced support for Zcash cryptocurrency as a payment option. Researchers indicate that the LockBit 3.0 appears to be inspired by another ransomware known as BlackMatter, (a rebrand of DarkSide) by stating “large portions of the code are ripped straight from BlackMatter/Darkside.”
• Recently a LockBit public-facing figure announced that the ransomware group is exploring DDoS as a triple extortion tactic on top of encrypting and leaking exfiltrated data. The move comes shortly after the group’s DLS went offline due to a DDoS attack. LockBit accused their latest victim (around that time) – a prominent software company of being responsible for this attack. While this is not something new for ransomware gangs, DDoS as a triple extortion tactic has been used by other ransomware gangs to make victim meet their demand. However, a troublesome factor in play would be the recent hype around a politically motivated DDoS attack that took place a couple of months back and was spearheaded by groups like Killnet. Although tangible outcomes and effects have remained negligible for Killnet, the popularity of DDoS has risen to keep organizations hostage or coerce them to agree by threatening to launch a DDoS attack. LockBit being one of the prominent players in the ransomware ecosystem, would not only provide a new business avenue for DDoS providers within the cybercriminal underground community but also may incite other ransomware gangs to do so.