The Cybersecurity Dossier - January 20, 2025

Threat Actor in Focus -?Chinese State-Sponsored RedDelta Targets Taiwan, Mongolia, and Southeast Asia with Modified PlugX Malware Campaign.

Between July 2023 and December 2024, a Chinese state-sponsored group targeted countries including Mongolia, Taiwan, Myanmar, Vietnam, and Cambodia, using an adapted infection chain to distribute a customized backdoor known as PlugX. The group employed various spearphishing techniques, leveraging themes such as political events, national holidays, and international meetings to lure victims. The group notably compromised the Mongolian Ministry of Defense in August 2024 and the Communist Party of Vietnam in November 2024. Additionally, attempts to target the Vietnamese Ministry of Public Security were observed, though no successful compromise was detected. The group expanded its targeting to other nations, including Malaysia, Japan, the United States, and others, between September and December 2024. READ MORE?

CYFIRMA ANNUAL INDUSTRIES REPORT : PART 1

Welcome to the CYFIRMA Infographic Industry Report, where we examine the external threat landscape across 13 industries over the past year. Through clear, data-driven visuals and expert insights, we present concise analyses of attack campaigns, phishing telemetry, and ransomware incidents affecting organizations worldwide. Leveraging our cutting-edge platform telemetry and the deep expertise of our analysts, this report highlights both cross-industry trends and year-over-year changes, along with detailed, industry-specific breakdowns coming in Parts 2 and 3 soon. Our goal is to equip you with actionable intelligence that helps you stay ahead in the ever-evolving cybersecurity landscape. A newly disclosed critical vulnerability impacts legacy D-Link devices, including DNS-320, DNS-320LW, DNS-325, and DNS-340L, across all hardware revisions. These devices have reached the end of their support lifecycle, meaning they no longer receive firmware updates or security patches. READ MORE

TRACKING RANSOMWARE : DECEMBER 2024

December 2024 witnessed diverse ransomware trends, with emerging groups targeting critical industries and geographical locations. The report explores top ransomware groups, targeted sectors, and the evolution of attack strategies exploiting vulnerabilities. It highlights notable incidents and emphasizes the need for enhanced defenses as ransomware groups refine their operations to exploit digital transformation and unpatched systems across global industries. In December 2024, ransomware activity showcased notable trends, including a 12.38% decline in attacks compared to November. Key ransomware groups, such as Funksec and Cl0p, emerged with significant incidents, and industries like healthcare and e-commerce faced increasing risks. The exploitation of vulnerabilities, advanced social engineering, and sophisticated attack vectors underlined the persistent evolution of ransomware, demanding robust defenses and proactive patching strategies. READ MORE

APT PROFILE – TA397

Threat actor TA397, also known as Bitter, is a South Asia-nexus cyber espionage group targeting government, energy, telecommunications, defense, and engineering organizations in the EMEA and APAC regions. Their operations typically involve spear-phishing emails with malicious attachments, leading to the installation of remote access trojans (RATs) like WmRAT and MiyaRAT. These RATs enable the attackers to steal sensitive information and intellectual property.?Alias: Bitter, Motivation: Information Theft and Espionage, Target Technologies: Office Suites Software, Operating System, Web Application. Targeted Regions: EMEA (Europe, Middle East, and Africa) and APAC (Asia-Pacific). Malware used by TA397: ArtraDownloade, BitterRAT, WmRAT, and MiyaRAT. READ MORE

THE FALL OF SYRIA AND THE FUTURE OF THE IRAN THREAT

Last month, a coalition of rebel groups brought a swift end to 50 years of brutal and repressive rule by the Assad family, following 13 years of brutal civil war. The fall of the regime provoked joy on Syrian streets, but also great uncertainty about the future. The rapid advance of the rebels has arguably taken Russia and Iran by surprise and has caused them to vicariously suffer an embarrassing defeat. The rebels’ main sponsors, the governments of Turkey and Qatar, may now be feeling as if they have bitten off more than they can chew. Using a wider lens, the fall of the Assad government has caught the diplomatic community off guard, with nations scrambling to respond to a sudden power vacuum in a region where various armed groups, Islamist extremists, and foreign players have been jockeying for influence for years. The immediate priority was to secure Syria’s chemical weapons, which prompted the Israeli Air Force to launch a series of airstrikes. READ MORE

Ransomware of the Week

CYFIRMA Research and Advisory Team has found LucKY_Gh0$t Ransomware while monitoring various underground forums as part of our Threat Discovery Process. Researchers have recently identified a new variant of the ransomware named LucKY_Gh0$t. This ransomware variant is derived from the Chaos ransomware family. Upon infecting a system, it encrypts and renames files, appending a random four-character extension to them. Additionally, it alters the desktop wallpaper and delivers a ransom note in a file named “read_it.txt.” LucKY_Gh0$t’s ransom note informs victims that their files have been encrypted and demands payment for decryption. It assures that decryption programs will be provided upon payment but warns that failure to comply will lead to repeated attacks on the victim’s organization. The note provides detailed instructions for contacting the attackers via the Session messaging service and includes a unique decryption ID for reference. READ MORE

Trending Malware of the Week

This week “Banshee” is trending. Researchers discovered a new version of the Banshee macOS stealer, linked to Russian- speaking cybercriminals targeting macOS users. Undetected for over two months, this variant surfaced after the original version’s source code was leaked on dark web forums, sharing similarities in functionality. A notable difference is its use of a string encryption algorithm, similar to Apple’s XProtect antivirus. While XProtect binaries decrypt YARA rules for detection, Banshee leverages this algorithm to decrypt critical strings vital to its operations, including executed commands, browser names and paths, extension IDs, wallet details, and command-and-control (C&C) information. Distributed through malicious GitHub repositories, Banshee targeted macOS users while Windows users faced Lumma Stealer. Priced at $3,000, Banshee operated as a “stealer-as-a-service,” promoted on Telegram and dark web forums. READ MORE

CYFIRMA is a?threat?discovery?and cyber-intelligence company with the world’s first platform that can deliver predictive cyber-intelligence. We combine cyber-intelligence with attack surface discovery and digital risk protection to deliver early warning, personalized, contextual, outside-in, and multi-layered insights. We have built the next generation of AI-powered threat intelligence platform called External Threat Landscape Management (ETLM) to provide cyber defenders with the hacker’s view to help clients prepare for impending attacks.

SCHEDULE A DEMO HERE

Visit www.cyfirma.com

Message sent by CYFIRMA at 16 Raffles Quay #09-01 S(048581), Singapore, Singapore.