Key Intelligence Signals:
Suspected Threat Actors: Potentially Cranefly
Researchers have discovered a hitherto undocumented dropper that attackers are using to install a new backdoor and other tools by employing the novel technique of reading commands from seemingly harmless IIS logs. According to Researcher’s threat actor group dubbed Cranefly is using the dropper (Trojan.Geppei) to install another previously undocumented malware (Trojan.Danfuan). Researchers note that the technique of reading commands from IIS logs is not something seen in real-world attacks. The analysis also reveals another dropper Hacktool.Regeorg is known malware that can create a SOCKS proxy. Based on the tools deployed, efforts taken by attackers to conceal their activity, and no data exfiltration observed, researchers suspect the most likely motivation is intelligence gathering.
As per researchers the Hacktool.Regeorg has been leveraged by multiple APT threat actor groups in the past. Its code is publicly available on GitHub and lack of sufficient clues hindered attribution to any publicly tracked threat actor group.
The US has published its National Defense Strategy. The document highlights the threat posed by the usual suspects: China, Russia, North Korea, and Iran – which are familiar adversaries who are wielding notable offensive cyber capabilities. The document emphasizes deterrence through resilience in the cyber realm, which it suggests is possible to attain via a wide range of protective measures that include heavy implementation of encryption and a strong focus on the use of zero-trust principles. Deterrence by denial is also complemented by a strategy of deterrence by cost imposition, which could include offensive cyber operations, however, this is not further detailed in the report for obvious reasons. This position still represents a more assertive use of national power in cyberspace though and the document openly states that the US government “…will conduct cyberspace operations…to degrade competitors’ malicious cyber activity and to prepare cyber capabilities to be used in crisis or conflict.”
The parliaments of both Poland and Slovakia sustained cyberattacks that knocked out various parliamentary networks, including those supporting both voting and telecommunications in Slovakia. In Poland, the Senate website was hit by a distributed denial-of-service (DDoS) attack that paralyzed the institution’s website. Polish sources blame the attacks on Russia, and it’s widely suspected that the attacks were staged by a Russian privateering group on behalf of the Kremlin in retaliation for Polish and Slovak support for Ukraine in the Russian war of aggression waged in the neighboring country.
According to British media, Russian intelligence services are believed to have successfully compromised former British Prime Minister Liz Truss’s personal smartphone. The compromise is supposed to be dated to the time when Ms. Truss served as Foreign Minister. British Parliamentarians are now calling for an official investigation, which could reveal the attack vector and whether a zero-day compromise was involved, what information has the attacker in gable to extract, and the extent to which officials use personal devices to communicate about official business. In this manner, the case resembles former US Foreign Minister Hillary Clinton and her use of a private email server to store and send state data.
Wilby Impacted by LockBit Ransomware
From the External Threat Landscape Management (ETLM) Perspective, CYFIRMA observed Wilby Co., Ltd. (will-b.jp) – a Japanese construction organization specialized in developing logistics facilities such as distribution centers and warehouses, etc – being impacted by the LockBit ransomware group. The ransomware group claimed Wilby as one of their victims by disclosing the update on their dedicated leak site on 30th October. It is suspected that a large amount of business-critical and sensitive data has been exfiltrated. According to the information published on LockBit’s dedicated leak site, a deadline of 8th November has been provided to come to a ransom arrangement after which the exfiltrated data will get leaked publicly.