Threat Intelligence Report April 18 - April 24 2023

CrossLock is a newly emerged ransomware group that targets businesses, demanding a significant ransom in return. Along with encrypting the victim's files, the attackers also adopt double-extortion tactics by stealing sensitive data and threatening to release it on their onion leak site unless the ransom is paid. The threat actors behind the CrossLock ransomware have coded it using the Go programming language, which offers numerous advantages. One such benefit is the ability to compile a single codebase that can function across various operating systems. However, the use of Event Trace (ETW) bypass techniques by this ransomware is particularly concerning. This feature allows the malware to avoid detection by security systems that rely on event logs. Moreover, CrossLock Ransomware employs several measures to lower the chances of data recovery and increase the attack's effectiveness.

A new Android botnet called DAAM has been discovered which is being distributed through trojanised applications. This botnet is capable of executing a variety of malicious actions, including data theft, DDoS attacks, and spamming. It uses a Command-and-Control infrastructure to communicate with its operators and receive instructions. Technical details about the botnet's functionality and the trojanised applications being used to distribute it have been provided by the researchers. To prevent falling prey to such botnets, downloading apps from trustworthy sources is critical. As the DAAM botnet is a significant threat to Android users, it is necessary to stay vigilant and take necessary precautions to avoid being infected.

Sliver is an adversarial attack simulation tool designed to elude security products developed by researchers at BishopFox cybersecurity company. Sliver was utilised as a beachhead for the initial infection toolchain. It is utilised in the ransomware delivery framework for attacks observed in the wild. Sliver deployed via active opportunistic scanning and possible exploitation of Log4j/VMware Horizon vulnerabilities. It is utilised in targeting organisations within the Government, Research, Telecom, and University sectors, in addition to sporadic victims of opportunity.

A path traversal vulnerability in the web interfaces of networking devices manufactured by Arcadyan, including Buffalo WSR-2533DHPL2 firmware version <= 1.02 and WSR-2533DHP3 firmware version <= 1.24, could allow unauthenticated remote attackers to bypass authentication. The vulnerability exists due to a list of folders which fall under a "bypass list" for authentication. For most of the devices listed, that means that the vulnerability can be triggered by multiple paths. To have the pages load properly, one will need to use proxy match/replace settings to ensure any resources loaded which require authentication also leverage the path traversal.

ScarCruft is an APT group that has been observed to target the healthcare, telecommunications, and technology sectors. They are known to use a variety of TTPs including spear-phishing and watering hole attacks. They are attributed to the Operation Daybreak campaign where an Adobe 0-day was used. Such campaigns happened in early 2016 which also indicates that the APT group is constantly evolving.

Red Piranha proactively gathers information about organisations impacted by ransomware attacks through various channels, including the Dark Web. In the past week, our team identified a total of 83 new ransomware victims from 19 distinct industries across 28 countries worldwide. This highlights the global reach and indiscriminate nature of ransomware attacks, which can affect organisations of all sizes and sectors.

LockBit 3.0, a specific ransomware, has affected the largest number of new victims (24) spread across various countries. Ransomware blog and Royal groups follow closely with each hitting 21 and 06 new victims respectively. Below are the victim counts (%) for these ransomware groups and a few others.

When we examine the victims by country out of 28 countries around the world, we can conclude that the USA was once again the most ransomware-affected country, with a total of 37 new victims reported last week. The list below displays the number (%) of new ransomware victims per country.

      


After conducting additional research, we found that ransomware has impacted 19 industries globally. Last week, the manufacturing and Business Services sectors were hit particularly hard, with the loss of 17 and 06 businesses in each sector respectively. The table below presents the most recent ransomware victims sorted by industry.