CYBERSECURITY DOSSIER - November 18, 2024

Threat Actor in Focus -?Analyzing Earth Estries’ Persistent Tactics, Techniques, and Procedures in Sustained Cyber Operations

Earth Estries, an advanced threat actor active since 2020, employs two distinct attack chains to exploit vulnerabilities in systems like Microsoft Exchange servers and QConvergeConsole. In the first infection chain, the group uses CAB files to deliver tools such as Cobalt Strike, Crowdoor, and Trillclient, which enable lateral movement, credential theft, and persistence. PsExec and WMIC facilitate the spread of backdoors, while Trillclient collects credentials from browser caches. The second chain targets Exchange servers, deploying web shells (like ChinaChopper) to introduce backdoors, including Zingdoor and SnappyBee, with components delivered through cURL downloads. Earth Estries’ tactics also include credential theft and data exfiltration via anonymized file-sharing services. Persistence is maintained through frequent updates to installed tools. READ MORE?

BLACK BASTA : RANSOMWARE

Black Basta, known for its targeted attacks across multiple industries, emerged as a formidable ransomware group in 2022. Leveraging social engineering and advanced malware, the group systematically compromises networks, demanding ransoms under the threat of data exposure. Their evolving tactics highlight the urgent need for strong defenses and proactive cybersecurity strategies. Black Basta, a prominent Ransomware-as-a-Service (RaaS) group, emerged in April 2022 and has rapidly gained notoriety for targeting various sectors, including construction, healthcare, manufacturing, finance, retail, and entertainment. Black Basta ransomware has compromised more than 500 organizations across the Globe. The group employs a range of tactics, including phishing, exploitation of vulnerabilities, and double extortion. Their operations involve meticulous reconnaissance, credential dumping, privilege escalation, and systematic exfiltration. READ MORE

APT Profile – MUDDYWATER

MuddyWater is an APT group assessed to be affiliated to the Iranian Government, that targets victims in the Middle East with in-memory vectors leveraging on PowerShell, in a family of attacks now identified as “Living off the land”, as they don’t require the creation of new binaries on the victim’s machine, thus maintaining a low detection profile and a low forensic footprint. The operators behind MuddyWater are likely espionage motivated. Despite the strong preponderance of victims from Pakistan, the most active targets appear to be in Saudi Arabia, the UAE, and Iraq. In a recent campaign, the MuddyWater threat group is believed to have targeted organizations in Saudi Arabia, Turkey, Azerbaijan, India, and Portugal. The attackers have been using compromised organizational email accounts to send phishing messages, primarily aimed at deploying legitimate remote management tools like Atera Agent and Screen Connect. READ MORE

TRACKING RANSOMWARE : OCTOBER 2024

October 2024 marked a rise in ransomware incidents, with the RansomHub group leading in impact. Sectors like manufacturing and healthcare faced significant threats, with groups primarily targeting the USA. Groups like Dragon, Fog, and Akira showcased evolution during this period, and the emergence of groups like Hellcat and Playboy highlights an intensifying ransomware landscape with evolving tactics. ?This report examines the latest ransomware trends, including RansomHub’s high activity and newly emerged groups like Hellcat. With the USA as a primary target, the report highlights ransomware’s growing reach across various industries and highlights the need for heightened cybersecurity measures. In October 2024, the RansomHub ransomware group emerged as a significant threat, taking the lead with 85 victims. The Manufacturing sector is the primary target of ransomware attacks experiencing 91 incidents. The USA was the most targeted geography in October 2024. READ MORE

CYFIRMA INDUSTRY REPORT : LOGISTICS

Welcome to the CYFIRMA infographic industry report, where we delve into the external threat landscape of the logistics industry over the past three months. This report provides valuable insights and data-driven statistics, delivering a concise analysis of attack campaigns, phishing telemetry, and ransomware incidents targeting the logistics industry. We aim to present an industry-specific overview in a convenient, engaging, and informative format. Leveraging our cutting-edge platform telemetry and the expertise of our analysts, we bring you actionable intelligence to stay ahead in the cybersecurity landscape. CYFIRMA provides cyber threat intelligence and external threat landscape management platforms,?DeCYFIR?and?DeTCT, which utilize artificial intelligence and machine learning to ingest and process relevant data, complemented by manual CTI research. For the purpose of these reports, we leverage the following data from our platform.?READ MORE

Ransomware of the Week

CYFIRMA Research and Advisory Team has found Weaxor ransomware while monitoring various underground forums as part of our Threat Discovery Process. Researchers identified a new strain of ransomware named Weaxor. Weaxor is a ransomware strain that encrypts files, compelling victims to pay for decryption. It appends the “.rox” extension to affected filenames and leaves a ransom note titled “RECOVERY INFO.txt” with instructions for recovery. Weaxor’s ransom note informs victims that their data has been encrypted and requires a decryption tool for recovery. Victims are instructed to download the TOR browser and use a provided link to contact the attackers. The note includes two contact emails and offers free decryption of up to three files (5 MB each), excluding databases or backups. ?CYFIRMA’s assessment based on available info suggests that Weaxor ransomware could continue to evolve in stealth and evasion techniques, targeting Windows systems across diverse sectors. READ MORE

Trending Malware of the Week

This week “Rhadamanthys” is trending. Researchers have been tracking a large-scale phishing campaign, dubbed CopyRh(ight)adamantys, which deploys the new version of the Rhadamanthys stealer (version 0.7) across regions including the United States, Europe, East Asia, and South America. This sophisticated campaign impersonates various companies, primarily in the Entertainment, Media, and Technology sectors, and falsely claims that victims have committed copyright infringement on their Facebook pages. Phishing emails, often sent from different Gmail accounts, encourage recipients to download an archive file that triggers DLL side-loading, leading to the installation of the Rhadamanthys stealer. While the latest version of the stealer allegedly includes an AI-powered OCR module, researchers have found that it instead uses older machine learning techniques typical of traditional OCR software. READ MORE

CYFIRMA is a?threat?discovery?and cyber-intelligence company with the world’s first platform that can deliver predictive cyber-intelligence. We combine cyber-intelligence with attack surface discovery and digital risk protection to deliver early warning, personalized, contextual, outside-in, and multi-layered insights. We have built the next generation of AI-powered threat intelligence platform called External Threat Landscape Management (ETLM) to provide cyber defenders with the hacker’s view to help clients prepare for impending attacks.

SCHEDULE A DEMO HERE

Visit www.cyfirma.com

Message sent by CYFIRMA at 16 Raffles Quay #09-01 S(048581), Singapore, Singapore.