Weekly Intelligence Report – 28 Oct 2022

Weekly Intelligence Trends/Advisory

Key Intelligence Signals:

• Attack Type: Ransomware, Vulnerabilities & Exploits, Ransomware-as-a-Service (RaaS), Malware Implants, Data Exfiltration, Data Leak, Impersonations, Data Encryption, Cryptojacking, Path Traversal
  • Objective: Unauthorized Access, Data Theft, Financial Gains, Payload Delivery, Espionage, Crypto Mining
  • Business Impact: Data Loss, Financial Loss, Reputational Damage, Loss of Intellectual Property
• Ransomware – Hive | Malware – WarHawk
  • Hive – One of the ransomware groups.
  • Please refer to the trending malware advisory for details on the following:
  • Malware – WarHawk
• Behavior – Most of these malwares use phishing and social engineering techniques as their initial attack vector. Apart from these techniques, exploitation of vulnerabilities, defence evasion, and persistence tactics are being observed.

Threat Actor in Focus

Kimsuki Target South Koreans Using Three New Android Malware

Suspected Threat Actors: Kimsuki

• Attack Type: Malware Implants, Data Exfiltration, Impersonation
• Objective: Espionage, Unauthorized Access, Payload Delivery
• Target Technology: Android
• Target Geography: South Korea
• Business Impact: Data Loss, Loss of Intellectual Property, Potential Financial Loss

Summary:
Researchers have recently spotted the North Korean espionage-focused threat actor group Kimsuki leveraging three different Android malware strains namely FastFire, FastViewer, and FastSpy to target users located in its southern counterpart. As per researchers FastFire and FastViewer impersonate “Google security plugin” and “Hancom Office Viewer” respectively, and FastSpy is a RAT based on AndroSpy.

The FastFire malware is considered to be currently under development by the Kimsuki threat actor group. Unlike getting direction from Command & Control (C2) server through HTTP/S as in the traditional manner, it makes use of Firebase – an application development environment by Google.

FastViewer is capable of reading the Hangul documents (.hwp) used in Korea and can download additional malware once stealing data from an infected device.

The FastSpy malware is downloaded by the FastViewer malware and receives its commands through TCP/IP protocol from the attacker’s server. FastSpy is based on the code of AndroSpy which is an open-source RAT.

Insights:
The Kimsuky threat actor group is believed to be tasked by the North Korean regime with a global intelligence-gathering mission and targets individuals and private organizations in the US, Japan, and South Korea. In August of this year, the threat actor group was linked to a set of malicious activities against South Korean politicians and diplomats using a previously undocumented malware dubbed GoldDragon.

Researchers highlight that the use of FireBase as C2 is one of their advanced tactics. The Kimsuky threat actor group is advancing its strategy to target mobile users with sophisticated attacks.

Major Geopolitical Developments in Cybersecurity

US unveils legal cases against Chinese intelligence officers

The US Department of Justice has announced the unsealing of 3 cases against 13 Chinese nationals, including ten Chinese intelligence officers. One case revolves around a Chinese front organization, posing as a legitimate think tank, that had allegedly been engaged in theft of American intellectual property and free speech impingement regarded to cases and situations it assessed as opposing an image of China painted by the communist government. Four individuals were charged in this case. Another case involves charges against two Chinese intelligence officers who supposedly bribed a US citizen who was supposedly in a position to reveal sensitive information about the US prosecution of an unnamed Chinese telecom company. The DOJ has not identified the company in question; however, the company is very likely to be Chinese 5G champion Huawei. In the last case, seven individuals were indicted. The case revolves around China’s Operation Fox Hunt, a long-running program of forcible repatriation of Chinese nationals who have emigrated to other countries, and who are regarded as a threat to the reputation or security of the communist government in Beijing. The targeted dissidents and their family members were allegedly subjected to physical intimidation, frivolous lawsuits, threats, and other harassment. All three cases came to light as an embarrassment during CCP’s 20th congress and are likely to be met with a counteroffensive in cyberspace targeting sensitive industries and American midterm elections.

Norway Expressing Concerns over Gas & Oil Infrastructure

Norway has recently replaced Russia as Europe’s main source of natural gas, and military experts suspect Russia is now surveying Norwegian gas & oil infrastructure for potential vectors of attack. In recent weeks, many Norwegian energy installations were probed by buzzing drones and several Russian citizens have already been arrested for the illegal operation of unmanned aircraft over Norwegian oil rigs, natural gas plants, and pipelines. Norwegian authorities list espionage, sabotage, and intimidation as possible motives for the drone flights.

After the Nord Stream pipeline sabotage, Norway is seeking to improve the physical security of its North Sea oil and gas production operations and has openly named Russia as the top threat in the industry. The government in Oslo is also concerned about the risk of a Russian cyberattack against its oil and gas sector. The energy industry in Europe and at large should be in a state of high vigilance against cyberattacks in the coming months.

Rise in Malware/Ransomware and Phishing

Tata Power Impacted by Hive Ransomware

• Attack Type: RaaS, Data Exfiltration
• Target Industry: Utilities
• Target Geography: India
• Ransomware: Hive
• Objective: Financial Gains, Data Theft
• Business Impact: Data Loss, Reputational Damage

Summary:
From the External Threat Landscape Management (ETLM) Perspective, CYFIRMA observed Tata Power (www[.]tatapower[.]com) –the largest power generation company in India – being impacted by the Hive ransomware group. The ransomware group claimed Tata Power as one of their victims by disclosing the update on their dedicated leak site on 24 October 2022. As per the claim the encryption had taken place on 3 October 2022. It is suspected that a large amount of business-critical and sensitive data has been exfiltrated among which it includes employee’s email addresses, addresses, passports details, phone numbers, payments details, taxpayer information, etc. An unknown amount of such data has been made available for download by anyone.

Insights:

• The Hive ransomware was first observed in June 2021 and is suspected of running as affiliate-based ransomware similar to the majority of the ransomware groups at current times. The ransomware group employs a wide array of tactics, techniques, and procedures (TTPs) in their attacks. They leverage multiple methods to compromise an organization’s networks, which include phishing emails with malicious attachments to foothold into the network and exploiting Remote Desktop Protocol (RDP) for lateral movement.
• It uses a double-extortion strategy for attacks. The attackers threaten to publish the exfiltrated data (victim data) if the victims are not ready to pay the ransom.
• The ransomware operators implemented a new IPfuscation (obfuscation) technique to conceal the Cobalt strike beacon payload. The payload was disguised as an array of ASCII IPv4 addresses in the malware executable binary. Code obfuscation is a technique that helps threat actors hide malicious code from security analysts or security software to evade detection.
• The Hive ransomware operators changed its VMware ESXi Linux encryptor to the Rust programming language to make it more difficult for security researchers to eavesdrop on victims’ ransom conversations. This feature is implemented from the BlackCat ransomware operation.