CYFIRMA: Cybersecurity Dossier - October 28, 2024

Threat Actor in Focus -?UAT-5647 focuses on Ukrainian and Polish organizations, utilizing variants of RomCom malware

A new wave of attacks has been observed since late 2023, attributed to a Russian- speaking group known as UAT-5647, also referred to as RomCom. This group has been targeting Ukrainian government entities and potentially Polish entities using an updated version of their malware called “SingleCamper.” This variant operates directly from the registry into memory, communicating with its loader via a loopback address. UAT-5647 has expanded its malware toolkit to include various components: two downloaders (RustClaw and MeltingClaw), a RUST-based backdoor (DustyHammock), and a C++ backdoor (ShadyHammock). The attacks focus on establishing long-term access for data exfiltration, potentially pivoting to ransomware.The infection chain typically starts with a spear-phishing email delivering either RustyClaw or MeltingClaw. READ MORE?

CVE-2024-7593 Vulnerability in Ivanti Virtual Traffic Manager : Vulnerability Analysis and Exploitation

CVE-2024-7593 is a critical vulnerability identified in Ivanti Virtual Traffic Manager (vTM) and has recently been included in CISA’s Known Exploitable Vulnerabilities (KEVs) catalogue. This vulnerability, which carries a CVSS score of 9.8, allows unauthenticated attackers to gain administrative access to the vTM system. Such access opens the door to a range of serious risks, including data theft, unauthorized deployment of malware, and complete loss of control over the network infrastructure. Organizations using vTM are strongly urged to address this vulnerability promptly to mitigate the potential for exploitation and safeguard their critical systems. CVE-2024-7593 is a critical authentication bypass vulnerability affecting vTM. This flaw allows remote attackers, without prior authentication, to create an administrator account, granting them full control over the system. Exploiting the vulnerability requires access to the vTM management interface. READ MORE

Data Breach Investigation on Cisco

CYFIRMA’s investigation uncovered a significant data leak involving?Cisco, where the notorious threat actor, “IntelBroker,” claimed responsibility for the breach. On October 14, 2024, IntelBroker posted on?BreachForum, revealing that a wide range of Cisco’s sensitive information had been compromised. The stolen data includes valuable assets, such as GitHub and GitLab projects, SonarQube projects, source code, hardcoded credentials, certificates, customer SRCs, confidential Cisco documents, Jira tickets, API tokens, AWS private buckets, Docker builds, Azure storage buckets, SSL certificates, and both private and public keys. Additionally, Cisco premium products were part of the breach. This incident poses significant security and reputational risks along with a?supply chain threat?to Cisco and its B2B clients. This report covers a detailed analysis of the threat actor’s activity behind the breach and also highlights continued access to the Cisco system despite being blocked by the Cisco security system. READ MORE

Ransomware of the Week

CYFIRMA Research and Advisory Team has found Sauron Ransomware while monitoring various underground forums as part of our Threat Discovery Process. Researchers have discovered Sauron, a ransomware program designed to encrypt files and extort payment for their decryption. When executed , Sauron encrypted files and modified their names by appending a unique victim ID, the cybercriminals’ email address, and the “.Sauron” extension. Upon completing the encryption process, the ransomware altered the desktop wallpaper and left a ransom note named “#HowToRecover.txt” to instruct victims on payment procedures. Sauron’s ransom note informs victims that their files have been both encrypted and exfiltrated. To recover the data, a ransom payment in Bitcoin is required. Victims are warned that using third-party decryption tools could permanently corrupt the data, making recovery impossible. However, before committing to payment, the attackers offer a free decryption test. READ MORE

Trending Malware of the Week

This week “Latrodectus” is trending. Researchers identified Latrodectus, a widely used loader by threat actors, as a key tool for downloading payloads and executing arbitrary commands. Phishing emails serve as the primary vector for distributing Latrodectus, which primarily targets financial, automotive, and healthcare sectors. By compromising email accounts and attaching malicious files, it spreads to a larger network of victims. The malware’s increasing use of common formats like HTML and PDF, coupled with its stealth and persistence, makes detection more difficult. This can result in data exfiltration, financial fraud, and the compromise of sensitive information. The Latrodectus campaign begins with attacks using compromised emails that appear to contain important DocuSign documents. Recipients are urged to click a link to view the document, which redirects them to a harmful website. This action unknowingly triggers the download of the next-stage malware payload. READ MORE

CYFIRMA is a?threat?discovery?and cyber-intelligence company with the world’s first platform that can deliver predictive cyber-intelligence. We combine cyber-intelligence with attack surface discovery and digital risk protection to deliver early warning, personalized, contextual, outside-in, and multi-layered insights. We have built the next generation of AI-powered threat intelligence platform called External Threat Landscape Management (ETLM) to provide cyber defenders with the hacker’s view to help clients prepare for impending attacks.

SCHEDULE A DEMO HERE

Visit www.cyfirma.com

Message sent by CYFIRMA at 16 Raffles Quay #09-01 S(048581), Singapore, Singapore.