CYFIRMA: Cybersecurity Dossier
Threat Actor in Focus:?Persistent Cyber Intrusions: APT28’s Operations Against Global Institutions
A sophisticated cyber-espionage campaign, attributed to APT28 and linked to the Russian GRU, has been actively targeting Polish government institutions. Techniques employed include DLL side-loading and executing scripts that further download and execute additional payloads.Their operations exhibit a high level of technical proficiency and employ a diverse range of techniques and objectives. One key indicator of their activity is the use of spear-phishing emails, meticulously crafted to appear legitimate and personalized to their targets within government agencies. These emails often contain malicious links that lead to websites like run[.]mocky[.]io and webhook[.]site, which serve as initial entry points for malware delivery. Once victims click on the links, they unwittingly initiate the download of a ZIP archive containing malware disguised as image files. This archive typically includes a Windows Calculator binary, masquerading as a JPG image file, alongside hidden batch script and DLL files. A notable aspect of APT28’s operations is their use of DLL side-loading, a technique that allows them to load a malicious DLL file while executing a legitimate application, thereby evading detection by security software. This enables APT28 to execute its malicious code surreptitiously, ultimately compromising the victim’s system. Furthermore, APT28 demonstrates a keen understanding of network evasion tactics, leveraging widely used services like run.mocky.io and webhook[.]site to obscure their malicious activities. By exploiting the trust associated with these legitimate platforms, APT28 reduces the likelihood of their malicious links being detected or blocked by security controls. Additionally, the group employs a multi-stage attack approach, incorporating social engineering tactics to maintain the illusion of legitimacy and deceive victims.
Cyber Attacks on Egypt, UAE, and Saudi Arabia
The ongoing conflict between Israel and Palestine has caused nations and hacker groups to take sides, with some pro-Palestinian groups targeting critical infrastructure in Israel and its allies. Recently, Egypt was attacked because its government was accused of delaying humanitarian aid to Palestinian refugees, and in response, the pro-Palestine hacktivist groups carried out a cyberattack disrupting the Cairo official website and the government income tax department. Similarly, Saudi Arabia stepped up arrests of those speaking against Israel, which provoked multiple pro-Palestine hacktivist groups to retaliate.?The pro-Palestine hacktivist group called Anonymous Collective has used DDOS attacks, defacement, and data leaks, with Saudi Arabia’s critical infrastructure also being targeted (namely a DDOS attack on a Saudi electricity company, causing temporary disruptions). On May 10th, 2024, another group named “TEAM1916” from Afghanistan enacted a DDOS attack on the official website of Dubai. During our investigations, our team uncovered details regarding a DDoS attack orchestrated by Anonymous Sudan on Etisalat Egypt in the first week of March.
Ransomware of the Week
CYFIRMA Research and Advisory Team has found EnigmaWave ransomware while monitoring various underground forums as part of our Threat Discovery Process. Researchers uncovered EnigmaWave ransomware at the beginning of May 2024, the ransomware program encrypts data to make it inaccessible and demands payment for its decryption. The ransomware appends encrypted file names with the attackers’ email address, a unique victim ID, and the “.EnigmaWave” extension. Additionally, EnigmaWave creates a ransom- demanding message titled “Readme.txt”. EnigmaWave’s ransom note notifies victims of their network’s infection and the encryption of their files, accompanied by the removal of backups and Volume Shadow Copies. The attackers claim exclusive ability to restore the locked files, suggesting ransom payment in Bitcoin cryptocurrency. Victims are offered a test decryption on two random files before committing to payment. Additionally, the note cautions against file deletion, system shutdown, or reset, as these actions may jeopardize data decryption.
The Indian Election : The Grandest Spectacle of Democracy under AI Threat
India has a multiparty parliamentary government with a bicameral legislature. This year’s elections which began a month ago and will run through June 1st are for India’s lower house of Parliament, the Lok Sabha, which has 543 seats. The party or coalition of parties that win a majority will nominate a candidate for prime minister and form a ruling government.?The incumbent Bharatiya Janata Party (BJP) government is favored to win, as the election is playing out against a backdrop of sidelined opposition. Despite Indian democracy sliding towards more authoritarian rule, India’s election and broader political environment stand in contrast to political trends across the region(namely Pakistan and Bangladesh). The biggest difference stems from the striking popularity and longevity of the Indian Prime Minister Narendra Modi and his BJP. According to recent surveys, the prime minister is enjoying the approval of around three-quarters of the electorate, a remarkably high figure for a head of government in office for nearly a decade. Many factors account for this popularity: his personality and leadership model, achievements of the government mainly in the economic sphere, BJP‘s popular ideology, and the weakness of India’s political opposition. Under the given conditions, the question to be settled in the elections is not that Prime Minister Modi and the BJP are going to win, but by how much. There are close to 970 million registered voters and because of the Indian election rules, there have to be polling stations within two kilometers of every habitation. This produces many incredible stories of setting polling stations up high in Himalayan villages or organizing elections for the indigenous in remote areas, where a polling station is set up to serve less than ten people. For example, Anlay Phu, located at more than 4,877 meters above sea level, has one of the highest-altitude polling stations in the world, with less than a hundred registered voters.
领英推荐
TRACKING RANSOMWARE: APRIL 2024
In April 2024, ransomware activities displayed dynamic trends, with prominent shifts observed among top groups. While Hunters experienced a significant increase, LockBit faced a considerable decline. Industries like manufacturing and FMCG witnessed contrasting trends, while geographical targeting predominantly affected the United States. Emerging groups like SEXi and APT73 highlight evolving threats. Major incidents include attacks on Hoya Corporation and Omni Hotels, emphasizing the critical need for robust cybersecurity measures. Against the backdrop of notable activity in April 2024, multiple ransomware groups displayed dynamic trends, affecting various sectors worldwide. This report explores a comparative analysis of the top five ransomware groups’ activities from March to April 2024. It also provides insights into industry-specific targeting and geographical impacts. Furthermore, it discusses emerging ransomware groups and key events, highlighting the evolving threat landscape and the imperative need for enhanced cybersecurity measures.
Trending Malware of the Week
This week “zEus Stealer” is trending. The zEus malware is a type of malicious software categorized as a stealer, designed specifically to extract sensitive information from devices. This includes logging credentials for various accounts. Researchers discovered the zEus stealer malware within a source pack shared on YouTube and embedded in a Minecraft source pack, disguised as a WinRAR self-extract file. This file masquerades as a Windows screensaver file and initiates the stealer while displaying an image with the label “zEus,” which is also referenced in the Discord webhook profile used for receiving stolen data. The zEus stealer, once executed by a victim, first checks for any analysis tools to evade detection. If undetected, it proceeds to gather sensitive information and deploys script files to enhance its attack capabilities. The malware creates folders within C:\ProgramData to store both stolen data and its own malicious scripts. zEus conducts checks to determine if it is under analysis by comparing the computer’s name and active processes against predefined blacklists.
CYFIRMA is a?threat?discovery?and cyber-intelligence company with the world’s first platform that can deliver predictive cyber-intelligence. We combine cyber-intelligence with attack surface discovery and digital risk protection to deliver early warning, personalized, contextual, outside-in, and multi-layered insights. We have built the next generation of AI-powered threat intelligence platform called External Threat Landscape Management (ETLM) to provide cyber defenders with the hacker’s view to help clients prepare for impending attacks.
SCHEDULE A DEMO HERE
Visit www.cyfirma.com