The Cybersecurity Dossier - June 24, 2024
Threat Actor in Focus - Velvet Ant: A China-Nexus Threat Group’s Persistent Cyber Espionage Campaign
In late 2023, researchers conducted a forensic investigation into a significant cyber-attack on a major organization, uncovering a sophisticated campaign orchestrated by a threat group known as Velvet Ant. This China-nexus state-sponsored group exhibited advanced capabilities and a meticulous approach throughout the attack, with their primary objective being to maintain prolonged access to the organization’s network for espionage purposes. Velvet Ant gained initial access to the target organization’s network through various entry points, demonstrating a profound understanding of the network infrastructure. Leveraging a legacy F5 BIG-IP appliance exposed to the internet, they established a covert Command and Control (C&C) mechanism, facilitating persistent access to the network for over three years. This strategic foothold allowed the threat actors to meticulously execute their objectives without arousing suspicion. READ MORE
CRYSTAL BALL SERIES
In this installment, we explore the growing threat of cybercrime in the electric vehicle industry. Strong security measures and regulations are critical to protect EVs from cyber threats.
Digital Warfare: Pakistan-Based Terrorist Organizations Utilize Digital Platforms in J&K for Psy Ops
The research team at CYFIRMA initiated an investigation to uncover the latest online activities related to terrorism in Kashmir. This report highlights the efforts made by terrorist groups, utilizing digital platforms to spread propaganda and brainwashing content among the local Kashmiri population about their intentions and planned attacks, particularly through Telegram channels. The investigation also sheds light on the psychological operations (Psy Ops) conducted by these groups, which aim to manipulate public perception, spread fear, and destabilize the region. These Psy Ops are designed to maintain a heightened state of alarm and confusion, making it challenging for local authorities to maintain order and security. READ MORE
Ransomware of the Week
CYFIRMA Research and Advisory Team has found El Dorado Ransomware while monitoring various underground forums as part of our Threat Discovery Process. By the mid of June 2024 researchers discovered a new ransomware group called El Dorado, a ransomware variant originating from the LostTrust ransomware. It encrypts files, appends the “.00000001” extension to the filenames, and generates a ransom note titled “HOW_RETURN_YOUR_DATA.TXT”.?The ransom note informs victims of a network breach caused by vulnerabilities, leading to unauthorized access, data theft, and file encryption. It advises against terminating unknown processes, shutting down servers, or unplugging drives, as these actions could result in partial or complete data loss. The note offers to decrypt a couple of files (up to 5 megabytes) for free, with the remainder decrypted upon payment. It warns that if the ransom is not paid, the stolen data will be published or sold to third parties. READ MORE
Trending Malware of the Week
This week “DISGOMOJI” is trending. In 2024, a cyber espionage campaign targeting Indian government entities has been attributed to a suspected threat actor based in Pakistan, identified as UTA0137. This threat actor exclusively deploys a malware named DISGOMOJI. This malware, written in Golang, is specifically designed to infect Linux operating systems. This malware is a modified version of Discord-C2, leveraging Discord for command and control (C2) operations and using emojis for communication. This campaign involves using Linux malware to gain initial access, complemented by decoy documents targeted at Linux desktop users, a tactic uncommon in such attacks. It specifically targets Indian government entities relying on the BOSS Linux distribution for their desktop environments. Researchers have identified UTA0137 exploiting the DirtyPipe (CVE-2022-0847) privilege escalation vulnerability on “BOSS 9” systems, which remain susceptible to this aging exploit. READ MORE
CYFIRMA is a?threat?discovery?and cyber-intelligence company with the world’s first platform that can deliver predictive cyber-intelligence. We combine cyber-intelligence with attack surface discovery and digital risk protection to deliver early warning, personalized, contextual, outside-in, and multi-layered insights. We have built the next generation of AI-powered threat intelligence platform called External Threat Landscape Management (ETLM) to provide cyber defenders with the hacker’s view to help clients prepare for impending attacks.
SCHEDULE A DEMO HERE
Visit www.cyfirma.com