NOTHING

SAYS
'SECURITY'
LIKE A
DOZEN
FIREWALLS
AND A
BIOMETRIC
SCANNER

Find more:
BOOSTY.TO
SPONSR.RU
OVERKILL SECURITY
TELEGRAM MONTHLY DIGEST. 2024 / 04
Free Issue - Casual
Welcome to the next edition of our Monthly Digest, your one-stop resource for staying
The perfect starting point for those
informed on the most recent developments, insights, and best practices in the ever-
new to the world of cybersecurity
without financial commitment. evolving field of security. In this issue, we have curated a diverse collection of articles,
news, and research findings tailored to both professionals and casual enthusiasts. Our
Paid Issue – Regular digest aims to make our content both engaging and accessible. Happy reading!
Tailored for regular readers who
have a keen interest in security and
wish to stay abreast of the latest
trends and updates.

Paid Issue – Pro

Designed for IT pro, cybersecurity
experts, and enthusiasts who seek
deeper insights and more
comprehensive resources.
Read more: Boosty | Sponsr | TG
 Read more: Boosty | Sponsr | TG

NEWS
I.

SECTION
 Read more: Boosty | Sponsr | TG

SHARPADWS IS A TOOL FOR RED TEAM OPS

SharpADWS is a tool designed for Red Team operations that focuses on reconnaissance and exploitation of Active
Directory (AD) environments through the Active Directory Web Services (ADWS) protocol. Unlike traditional methods of
interacting with Active Directory, which often use the Lightweight Directory Access Protocol (LDAP), tool leverages ADWS
to perform its operations without directly communicating with the LDAP server. Instead, LDAP queries are wrapped in SOAP
messages and sent to the ADWS server, which then unpacks and forwards them to the LDAP server. This can result in LDAP
queries appearing to originate from the local address 127.0.0.1 in logs, which might be overlooked by security systems.
SharpADWS can also be used to modify Active Directory data, such as granting DCSync privileges to an account for domain
persistence or enabling the "Do not require kerberos preauth" option for an account to perform an AS-REP Roasting attack.

FIREBASE MISCONFIGURATION
Firebase is a platform that requires developers to secure individual tables and rows. However, it appears that developers
either lacked the necessary security training or did not allocate sufficient time in the development lifecycle to apply the correct
security controls. The misconfigurations of Firebase instances that led to the exposure of 19 million plaintext passwords and
sensitive user data
Causes of the Firebase Misconfigurations
Lack of Security Rules: Some Firebase instances had no security rules enabled, which should act as a first line of
defense against unauthorized access.
Incorrect Setup: In other cases, security rules were set up incorrectly. This improper configuration allowed for the public exposure of data that
should have been private.
Affected Industries
Retail and Hospitality: Fast food chains and other retail businesses were among those affected, with instances such as Chattr's Firebase
implementation exposing user data.
Healthcare: Healthcare applications were found to have exposed personal family photos and token IDs.
E-commerce: E-commerce platforms leaked data from cryptocurrency exchange platforms.
Education: A learning management system for teachers and students exposed records of 27 million users.
Technology and App Development: The very nature of Firebase as a development platform means that a wide array of mobile and web applications
across various sectors were impacted.

INTEGRATION OF EVILGINX 3.3 WITH GOPHISH

Updates to Evilginx and its integration with GoPhish represent significant advancements in phishing campaign technology,
offering users more sophisticated tools for creating and managing phishing attempts with enhanced customization and tracking
capabilities.
Integration with GoPhish: Evilginx now officially integrates with GoPhish by Jordan Wright. This collaboration
allows users to create phishing campaigns that send emails with valid Evilginx lure URLs, leveraging GoPhish's user interface
to monitor the campaign's effectiveness, including email opens, lure URL clicks, and successful session captures.
API Enhancements: The update has introduced additional API endpoints in GoPhish, enabling changes to the results status for every sent email.
This improvement facilitates more dynamic and responsive campaign management.
Lure URL Generation: In the new workflow, when creating a campaign in GoPhish, users no longer select a "Landing Page." Instead, they generate
a lure URL in Evilginx and input it into the "Evilginx Lure URL" text box. This process streamlines the creation of phishing campaigns.
Custom Parameters and Personalization: GoPhish automatically generates encrypted custom parameters with personalized content for each link
embedded in the generated email messages. These parameters include the recipient's first name, last name, and email. This feature allows for the
customization of phishing pages through js_inject scripts, enhancing the effectiveness of phishing attempts.
Expanded TLD Support: Evilginx has expanded its support for new Top-Level Domains (TLDs) to improve the efficiency of URL detection in
proxied packets. This update aims to better differentiate between phishing and original domains by recognizing URLs ending with a broader range of known
TLDs. The updated list includes a variety of TLDs, such as .aero, .arpa, .biz, .cloud, .gov, .info, .net, .org, and many others, including all known 2-character
TLDs.
** Evilginx and GoPhish are tools used in cybersecurity, particularly in the context of phishing simulations and man-in-the-middle (MitM) attack
frameworks. They serve different purposes but can be used together to enhance phishing campaigns and security testing.
Evilginx is a man-in-the-middle attack framework that can bypass two-factor authentication (2FA) mechanisms.
It works by tricking a user into visiting a proxy site that looks like the legitimate site they intend to visit. As the user logs in and completes the 2FA
challenge, Evilginx captures the user's login information and the authentication token. This method allows the attacker to replay the token and access the
targeted service as the user, effectively bypassing 2FA protections.
GoPhish is an open-source phishing toolkit designed for businesses and security professionals to conduct security awareness training and phishing
simulation exercises.It allows users to create and track the effectiveness of phishing campaigns, including email opens, link clicks, and data submission on
phishing pages.
 Read more: Boosty | Sponsr | TG

DATA LEAKAGE AND BREACHES STORIES

There are several mentioned involve serious breaches of trust and security within the U.S. military, highlighting the
challenges of safeguarding sensitive information and technology.
U.S. Navy contractor who, in 2007, inserted malicious code into the software of a submarine's threat detection system.
This act was a deliberate sabotage that could have compromised the safety and operational capabilities of the submarine.
Malicious code in such critical systems could potentially disable threat detection, leading to undetected navigation hazards or
enemy actions.
Robert Birchum, a retired U.S. Air Force intelligence officer, who was sentenced to three years in federal prison for
unlawfully possessing and retaining classified documents. Birchum, who retired in 2018 as a lieutenant colonel, had a 29-year career during which he served
in various intelligence positions, including roles that required him to work with classified intelligence information for the Joint Special Operations Command,
the Special Operations Command, and the Office of the Director of National Intelligence.
Harold Martin, a former National Security Agency contractor, was arrested in August 2016 for stealing and retaining highly classified top-secret
documents covering 20 years. Martin kept these documents in his home and vehicle. The stolen documents contained sensitive information about NSA
planning, intelligence collection, U.S. Cyber Command capabilities, and gaps in U.S. cyber capabilities.
Jerry Chun Shing Lee, a former CIA officer, was arrested in January 2018 on charges of unlawful retention of national defense information. Lee
possessed notebooks that contained handwritten notes of classified information, including the true names and phone numbers of assets and covert CIA
operational notes.
Jack Teixeira, a member of the Massachusetts Air National Guard, pleaded guilty to leaking highly classified military documents on a social media
platform. Teixeira faced a sentence of 11 to 16 years in prison for his actions.

EDR COMPARISON
The ‘EDR Telemetry” github project aims to track and compare the telemetry features implemented in various EDR systems
for Windows. The document serves as a telemetry comparison table, detailing the capabilities of different EDR products in
capturing specific types of telemetry data that are relevant to cybersecurity.
CrowdStrike and Microsoft Defender for Endpoint (MDE) appear to have a comprehensive implementation of features
across multiple categories. Both products have a high number of features marked as fully implemented ( ) across various
telemetry feature categories. This indicates a broad coverage in terms of telemetry data collection capabilities, which is crucial
for effective endpoint detection and response.
On the other end of the spectrum, WatchGuard and Harfanglab have a noticeable number of features marked as not implemented ( ) or partially
implemented ( ). This suggests that these products may have gaps in their telemetry data collection capabilities compared to other EDR products listed in
the document

FAKE FACEBOOK META PIXEL TRACKER SCRIPT

Cybersecurity researchers have recently uncovered a sophisticated credit card skimming operation that cleverly masquerades
as a harmless Facebook tracker, specifically a fake Meta Pixel tracker script.
The Mechanism of the Attack
The attackers exploit the trust placed in widely recognized scripts, such as Google Analytics or JQuery, by naming their
malicious scripts in a manner that mimics these legitimate services. The fake Meta Pixel tracker script, upon closer inspection,
reveals JavaScript code that substitutes references to the legitimate domain "connect.facebook[.]net" with "b-connected[.]com,"
a legitimate e-commerce website that has been compromised to host the skimmer code. This substitution is a key part of the
skimmer's operation, as it allows the malicious code to execute under the guise of a legitimate service
The Skimming Process
Once the malicious script is loaded on a compromised website, it monitors for specific actions, such as a visitor reaching a checkout page. At this point,
it serves a fraudulent overlay designed to capture the credit card details entered by the victim. The stolen information is then exfiltrated to another
compromised site, "www.donjuguetes[.]es," showcasing the multi-layered nature of this attack
WHAT2LOG
The What2Log is a blog dedicated to discussing various aspects of log management and analysis. The blog features updates on
the What2Log tool, insights into specific logging features, and discussions on challenges related to log management. Key topics
covered in the blog include:
What2Log Updates: The blog provides detailed updates on new versions of the What2Log tool, such as the Aspen and
Alder updates. These posts discuss the changes and enhancements introduced in these versions.
EventRecordID: One of the blog posts highlights the EventRecordID, a hidden XML tag in Windows Event Logs that enriches log information.
Event ID 4672: This post discusses the significance of Event ID 4672 in Windows, which logs special privileges assigned to new logons.
Log Management Challenges: Several posts in the blog series titled "The Struggle is Real" address various challenges in log management, including
log volume management, log analysis, event correlation, and log aggregation. These posts discuss the complexities and necessary considerations in
effectively managing and analyzing logs.
Overall, the blog serves as a resource for individuals interested in the technical aspects of log management, offering both educational content and updates
on the What2Log tool on Github
 Read more: Boosty | Sponsr | TG

ATTACKGEN
The GitHub repository for AttackGen provides a cybersecurity incident response testing tool that integrates large
language models with the MITRE ATT&CK framework to generate tailored incident response scenarios
Scenario Generation: AttackGen can generate unique incident response scenarios based on selected threat actor
groups
Customization: Users can specify their organization's size and industry for scenarios tailored to their specific
context
MITRE ATT&CK Integration: The tool displays a detailed list of techniques used by the chosen threat actor group according to the MITRE
ATT&CK framework
Custom Scenarios: There is an option to create custom scenarios based on a selection of ATT&CK techniques
Docker Container: The tool is available as a Docker container image for easy deployment
Running the Tool: Instructions are provided for running AttackGen and navigating to the provided URL in a web browser
Scenario Selection: Users can select their company's industry, size, and the desired threat actor group to generate scenarios

SHARPTERMINATOR
SharpTerminator is part of a class of attack known as Bring Your Own Vulnerable Driver (BYOVD). This strategy involves
leveraging legitimate but vulnerable drivers to bypass security measures, terminate antivirus and EDR processes, and execute
malicious activities without detection. The Terminator tool represents a significant threat due to its ability to disable security
solutions, thereby facilitating a range of malicious activities. These activities can range from deploying additional malware to
extensive system compromise and operational disruption. The tool leverages the BYOVD technique, exploiting vulnerabilities
in legitimate drivers to bypass security measures.
The use of the Terminator tool and its variants in real-world attacks has been documented, including a notable attack on a
healthcare organization on December 15, 2023. In this attack, the perpetrators attempted to execute a PowerShell command to
download a text file from a C2 server, which was designed to install the XMRig cryptominer on the targeted system.
Common techniques used by attackers to abuse the Terminator tool:
Exploiting Legitimate but Vulnerable Drivers
Attackers implant a legitimate driver, which is vulnerable, into a targeted system and then exploit the vulnerable driver to perform malicious actions.
This is the core principle of BYOVD attacks, where the Terminator tool leverages vulnerabilities in drivers such as zam64.sys (Zemana Anti-Logger) or
zamguard64.sys (Zemana Anti-Malware) to gain kernel privileges and execute attacker-provided code in kernel context
Kernel-Level Privilege Escalation
Successful exploitation allows attackers to achieve kernel-level privilege escalation, granting them the highest level of access and control over system
resources. This escalated privilege is leveraged by disabling endpoint security software or evading their detection, thereby enabling attackers to engage in
malicious activities without any obstruction
Disabling Security Solutions
Once endpoint security defenses are compromised, attackers are free to disable antivirus and Endpoint Detection and Response (EDR) processes, deploy
additional malware, or perform other malicious activities without detection. The Terminator tool specifically targets and terminates processes associated
with security solutions, effectively blinding them to ongoing attacks
Use of IOCTL Codes
The Terminator tool and its variants abuse IOCTL (Input/Output Control) codes to request functionalities from the vulnerable driver, such as attempting
to terminate targeted processes. This involves sending specific IOCTL codes along with parameters like the process ID of a running process to manipulate
the driver's behavior to the attacker's advantage
Administrative Privileges and UAC Bypass
To abuse the driver effectively, a threat actor would need administrative privileges and a User Account Control (UAC) bypass, or they would need to
convince a user to accept a UAC prompt. This requirement highlights the importance of privilege escalation tactics and social engineering in the successful
deployment of the Terminator tool
Evading Detection
Attackers have evolved their techniques to evade detection by security solutions. For example, the Terminator tool attempts to emulate legitimate
protocol/file headers to bypass security measures, although this has been met with varying degrees of success. The use of legitimate protocols and services
as command-and-control (C&C) servers or communication channels is another tactic to cover their tracks
Leveraging Public Platforms and Protocols
Attackers also use legitimate platforms and protocols, such as instant messengers (IMs) and free email services, to communicate with compromised
systems and maintain control over their targets. This technique helps to blend malicious traffic with legitimate network activity, making detection more
challenging
 Read more: Boosty | Sponsr | TG

BITE DISASSEMBLER FOR RUST

BiTE is designed as a platform-agnostic executable analysis tool. Its primary purpose is to provide an environment for
inspecting the content of binaries and their debug information. The tool aims to support various architectures, making it versatile
for different executable formats.
Assembly Listing Viewing: Allows users to view a binary's disassembly alongside its associated source code.
GUI Porting: Plans to port the graphical user interface to wgpu + winit.
Interactive Elements: Includes a header with buttons and options, assembly listing exploration, and an interactive
terminal.
Assembly Instruction Byte Patching: Enables users to modify the binary directly.
Hex Binary Viewer: Provides a hexadecimal view of the binary for detailed inspection.
Debugging Front-Ends: Supports front-end interfaces for debugging purposes.
Architecture Support: Includes support for multiple architectures such as X86-64, AArch64/Armv7, Riscv64gc/Riscv32gc, and MIPS-V.
Demangling Support: Offers demangling for various targets including MSVC, Itanium, and Rust.
Decoding Data Structures: Capable of decoding data structures based on each section of the binary.
Assembly Listing Lifting: Transforms assembly listings into a higher-level representation.
Resolving Addresses: Helps in resolving addresses within the binary.
Interpreting Non-Code Data: Allows for the interpretation of data within the binary that is not executable code.
Creating Labels for Relative Jumps: Facilitates the creation of labels for relative jump instructions within the disassembly

M-TRENDS 2024
The Google Mandiant report, as detailed in the M-Trends 2024, highlights a significant reduction in the time it takes for
organizations to detect cyber intrusions, marking a notable improvement in cybersecurity defenses globally. It provides a
mixed but cautiously optimistic view of the current state of cybersecurity.
Reduction in Median Dwell Time
The global median dwell time, which measures the average duration attackers remain undetected within a network, has
decreased to its lowest point in over a decade. In 2023, this figure was recorded at 10 days, down from 16 days in 2022, and
significantly lower than the 78 days observed six years ago
Increase in Ransomware Detection
The report attributes part of the reduction in dwell time to an increase in ransomware incidents, which are typically easier to detect due to their disruptive
nature. Ransomware-related intrusions accounted for 23% of the total in 2023, up from 18% in 2022. These incidents are generally identified more quickly,
with ransomware being detected in about six days when the notification comes from an internal source, and in five days from external notifications
Improvement in Internal Detection Capabilities
There has been a notable improvement in the ability of organizations to detect compromises internally. In 2023, 46% of intrusions were detected
internally, up from 37% in 2022. This suggests that investments in cybersecurity tools and training are yielding positive results.
Geographic and Sectoral Variations
While the global trend shows improvement, not all regions experienced the same level of progress. For instance, organizations in the Asia-Pacific
region saw a dramatic decrease in median dwell time to nine days, whereas in Europe, the Middle East, and Africa, the median dwell time slightly increased
Financial services, business and professional services, high technology, retail and hospitality, and health sectors were identified as the most targeted
by cyber attackers, primarily due to the sensitive nature of the data they handle
Evolving Threat Tactics
The report also highlights a shift in attacker tactics, with an increased focus on evasion techniques. Cyber attackers are increasingly targeting edge
devices and exploiting zero-day vulnerabilities to maintain their presence undetected within networks for extended periods
Espionage activities, particularly by groups allegedly linked to China, have intensified, with these groups focusing on acquiring zero-day exploits
and targeting platforms with minimal security measures
Challenges and Recommendations
Despite the improvements, the report underscores the ongoing challenges in cybersecurity. Attackers are adapting quickly, utilizing sophisticated
methods such as "living off the land" tactics and zero-day exploits
Mandiant emphasizes the importance of robust security strategies that include effective threat hunting programs and comprehensive investigations
and remediations following breaches
 Read more: Boosty | Sponsr | TG

II. CONTENTS
 Read more: Boosty | Sponsr | TG

CVE FORTRA'S GOANYWHERE MFT

CVE-2024-0204 is like a key under the mat that has not been authenticated and wants to create its
own administrator user. This vulnerability can be exploited remotely and is a classic example of CWE-
425: "Forced access when a web application is simply too polite to provide proper authorization."
Once they've tiptoed through the secret passage, they can create an admin user with read, write,
command execution, access sensitive data, deploy malware, or just take complete control because,
why not? It's free-for-all!
Vulnerable versions 6.x starting from 6.0.1 and version 7.x up to 7.4.1, in which they decided to
hang a lock on the door. If you're feeling DIY, the advisory suggests a workaround: delete the endpoint
/InitialAccountSetup.xhtml and restart the service. For those fancy container-deployed instances, just
replace the file with an empty one and give it a good ol' reboot.

STARBLIZZARD PHISHING ATTACKS

"Star Blizzard" should not be confused with a celestial weather phenomenon or a limited-edition
threat from the Dairy Queen. This saga takes place in a digital space where the only snowflakes are the
unique identifiers of each hacked system.
The audacity of Blizzard, which conducts targeted social engineering attacks on Microsoft Teams
using ready-made infrastructure against everyone who uses it. The group has been doing this since
November 2023, remaining unnoticed until January 12, 2024. And not just sneaking around, but
camping, making a bonfire in your digital backyard while you serenely watched your favorite TV series.
In the world of cybersecurity, where the stakes are high and the attackers are always looking for the
next weak link, it's a wonder that any industry can keep a straight face. So, let's all have a nervous
chuckle and then maybe, just maybe, update those passwords.

ARK PINK APT

The action of the next cyber saga takes place in the mystical lands of the Asia-Pacific region, where
the main characters began their digital activities in the middle of 2021 and qualitatively strengthened
it in 2022. Corporate espionage, document theft, audio recordings, and data leaks from messaging
platforms were all a matter of one day for Dark Pink. Their geographical focus may have started in the
Asia-Pacific region, but their ambitions knew no bounds, targeting a European government ministry
in a bold move to expand their portfolio. Their victim profile was as diverse as a UN meeting, targeting
military organizations, government agencies, and even a religious organization. Because
discrimination is not a fashionable agenda.
In the world of cybercrime, they serve as a reminder that sometimes the most serious threats come
in the most unassuming packages with a pink bow.

MEET KILLNET: THE CYBER STAR OF THE DRAMA CLUB "DDOS"

KillNet has risen to the top of the cyber activity leaderboard, eclipsing over a hundred other groups
in grandiose proxy cyber wars. Their favorite weapon? A very sophisticated distributed Denial of
Service (DDoS) attack that hits a sore spot: vital infrastructure, government services, airport websites
and, why not, media companies in NATO countries. Europe is their favorite playground, where more
than 180 attacks have been reported, while North America is in the corner with less than 10. However,
they are not picky: the financial industry, transportation, government agencies and business services.
Healthcare in the USA? Taken aim at. Gov websites from Romania to the United States? The following.
To prove themselves as professionals in their field, they expanded their activities, moving from
using ready-made tools to creating their own... with a subscription to let you share your achievements.
 Read more: Boosty | Sponsr | TG

UK PHISHING
Phishing attacks are on the rise in the UK, and it seems our cybercriminal friends have been busy
updating their deception toolkit. They're no longer just sending out those fancy "I'm the deposed prince"
emails. No, they switched to high technology, plunging into the exciting world of QR phishing (or
"quishing", because apparently everything is better with "q") and even connecting AI to write these such
convincing fraudulent emails.
QR codes are the new golden ticket for scammers on social media, preying on the unsuspecting masses
looking for concert tickets or the next big sale. Meanwhile, AI is making it easier than ever to fake someone's
identity, because who needs real fingerprints or faces anymore if you got a link from "Her Majesty's Secret
Service" promising you a tax refund in Poundcoin.

DCRAT (DARK CRYSTAL RAT)

DCRat, the Swiss Army knife of the cyber underworld, a true testament to the entrepreneurial spirit
thriving in the dark corners of the internet. Since its grand debut in 2018, DCRat has been the go-to gadget
for every aspiring villain with a penchant for digital mischief. For the low, low price of $7, you too can
own a two-month subscription to this marvel of modern malware to dip your toes into the exhilarating
world of cybercrime. And for those who are truly committed to the cause, a lifetime license is available for
the princely sum of $40. DCRat lures its victims with the digital equivalent of "free candy" signs. Adult
content-themed baits? Check. Fake OnlyFans promises? Double-check. It's like the malware is saying,
"Hey, I know you were just here for some risqué entertainment, but how about a side of identity theft?"

COMMON VULNERABILITY SCORING SYSTEM (CVSS) V4

The cybersecurity world has been graced with the latest and greatest iteration of the Common
Vulnerability Scoring System, CVSS v4.0. This new version promises to revolutionize the way we assess
the severity and impact of software vulnerabilities, because clearly, v3.1 was just a warm-up act.
And for those who felt left out, CVSS v4.0 now supports multiple scores for the same vulnerability.
Because why have one score when you can have several?
So, there you have it, folks. CVSS v4.0 is here to save the day, with its enhanced clarity, simplicity,
and a focus on resiliency. Because, as we all know, the only thing more fun than assessing vulnerabilities
is doing it with a new, more complex system.

RANSOMWARE Q3
The average enterprise ransom payment soared to over $100,000, with demands averaging a cool $5.3
million. But here's the kicker: 80% of organizations have a "Do-Not-Pay" policy, and yet, 41% ended up
paying the ransom last year. And for those thinking insurance might save the day, think again. A whopping
77% of organizations found out the hard way that ransomware is the party crasher not covered by their
security insurance. It's like showing up to a hurricane with an umbrella.
With Ransomware as a Service (RaaS) making it easier for any wannabe cybercriminal to join the fun,
we can only expect more chaos, more victims, and more snarky retellings like this one. So, here's to 2023,
a year that will be remembered not for technological breakthroughs or cyber defense victories, but for the
sheer audacity and success of ransomware groups. May 2024 be a bit less... successful for them.
 Read more: Boosty | Sponsr | TG

RANSOMWARE Q4
In the thrilling conclusion to 2023, ransomware groups had a banner year, really outdoing themselves in
the "make everyone's life miserable" department. LockBit 3.0 took gold in the hacking olympics, followed
by the plucky upstarts Clop and ALPHV/BlackCat. Apparently, 48% of organizations were feeling left out
and decided to get in on the cyber attack action. Business services won the "most likely to get digitally
mugged" award, with education and retail nipping at their heels. Hackers expanded their repertoire beyond
boring old encryption to the much more exciting world of extortion. The US, UK and Canada took top
honors in the "countries most likely to pay up" category. Bitcoins were the currency of choice for discerning
hackers, because who doesn't love untraceable money?

INFAMOUS CHISEL MALWARE

Crafted by the digital artisans known as Sandworm, The Chisel is not just malware; it's a masterpiece of
intrusion. This collection of digital tools doesn't just sneak into Android devices; it sets up shop, kicks back
with a martini, and gets to work exfiltrating all sorts of juicy information. System device info, commercial
application data, and oh, let's not forget the pièce de résistance, military-specific applications. Because why
go after boring, everyday data when you can dive into the secrets of the military?
The Chisel doesn't just exfiltrate data; it curates it. Like a connoisseur of fine wines, it selects only the
most exquisite information to send back to its creators. System device information? Check. Commercial
application data? Check. Military secrets that could potentially alter the course of international relations?
Double-check. It's not just stealing; it's an art form.

CYBER TOUFAN AL-AQSA HACKING GROUP

In the world of cyber warfare, where the stakes are as high as the egos, the Cyber Toufan Al-Aqsa burst
onto the scene in 2023 with all the subtlety of a bull in a china shop. They've been busy bees, buzzing from
one Israeli company to another, leaving a trail of digital chaos in their wake. And who's behind this
masquerade of mischief? Well, the jury's still out, but fingers are wagging towards Iran, because if you're
going to accuse someone of cyber shenanigans, it might as well be your geopolitical frenemy, right?
The analysis delves into various aspects of the group's operations, including its background and
emergence, modus operandi, notable attacks and breaches, alleged state sponsorship, and the implications
of its activities for cybersecurity professionals and other specialists across different industries. It also aims
to highlight its significant impact on cybersecurity practices and the broader geopolitical landscape.

MALLOX
The Mallox is the digital Robin Hoods of our time, except they steal from everyone and give to themselves.
Since mid-2021, they've been playing hide and seek with unsecured MS SQL servers, encrypting data, and
then graciously offering to give it back for a modest Bitcoin donation. Mallox decided to go shopping for new
malware toys, adding the Remcos RAT, BatCloak, and a sprinkle of Metasploit to their collection.
The analysis delves into various aspects of the group's operations, including its distinctive practice of
appending targeted organizations' names to encrypted files, the evolution of its encryption algorithms, and its
tactics for establishing persistence and evading defenses.

ALPHV
What a dramatic cyber soap opera we've witnessed with the Alpha ransomware group, also known by
their edgy alias, BlackCat. It's like a game of digital whack-a-mole, with the FBI and friends swinging the
mallet of justice and the ransomware rascals popping up with a cheeky "unseized" banner as if they're playing
a high-stakes game of capture the flag.
The FBI's initial victory lap was cut short when AlphV's site reemerged, now mysteriously devoid of any
incriminating victim lists.
Will the FBI finally pin the cyber tail on the Black Cat, or will these digital desperados slip away once
more? Stay tuned for the next episode of "Feds vs. Felons: The Cyber Chronicles."
 Read more: Boosty | Sponsr | TG

VULNERABILITY IN
III.

FORTRA'S GOANYWHERE
MFT (MANAGED FILE
TRANSFER)

12
 Read more: Boosty | Sponsr | TG

with multiple operating systems such as Windows, Linux, AIX,

and IBM i.
The software provides an intuitive browser-based interface
with drag-and-drop controls, allowing users to easily customize
their dashboard. It also offers a comprehensive set of workflow
features that help eliminate the need for single-function tools,
manual processes, or unsecure file transfer methods like FTP
servers.
GoAnywhere MFT supports a wide range of protocols for
secure file transfer, including SFTP (FTP over SSH), FTPS
(FTP over SSL/TLS), SCP (Secure Copy over SSH), HTTP/s,
AS2, AS3, AS4, and others. It also provides over 60 different
tasks that can be chained together in workflows, with no
programming or scripting required.
In addition to its core file transfer capabilities, GoAnywhere
MFT also includes features for password security, two-factor
authentication, and integration with various other systems and
applications.
C. Industries covered by GoAnywhere Managed File Transfer
(MFT)
GoAnywhere Managed File Transfer (MFT) is commonly
A. Introduction used across a variety of industries due to its ability to securely
CVE-2024-0204 is an authentication bypass vulnerability in automate the exchange of data. The top industries that use
Fortra's GoAnywhere MFT (Managed File Transfer) product. GoAnywhere MFT include:
This vulnerability allows an unauthenticated attacker to create • Information Technology and Services
an administrative user for the application. The vulnerability is
remotely exploitable and is listed as CWE-425: Forced • Computer Software
Browsing, a weakness that occurs when a web application does
• Financial Services
not adequately enforce authorization on scripts or files.
The vulnerability affects Fortra GoAnywhere MFT versions • Hospital & Healthcare
6.x from 6.0.1 and versions 7.x before 7.4.1. It was fixed in • Manufacturing
version 7.4.1, which was released on December 7, 2023. In
terms of threat landscape, in 2023, file transfer applications were • Consulting
a top target by threat actors, highlighting the importance of In the IT and services industry, GoAnywhere MFT is used to
securing such applications. integrate with web and cloud applications, ensuring data security
The vulnerability was originally discovered by researchers and providing secured and automated file transfers using a
malcolm0x and Islam Elrfai. Fortra made customers aware of centralized enterprise-level approach. It can also be used to
the issue through an internal security advisory post and made a standardize file transfer processes, reducing the need to involve
patch available on December 4, 2023. Also, a proof-of-concept development teams when transferring files:
(PoC) exploit code for this vulnerability has been made public. • Integrating with Web and Cloud Applications: It
The advisory suggests that the vulnerability can be mitigated helps in securely integrating file transfers with web and
by deleting the endpoint /InitialAccountSetup.xhtml and cloud-based applications.
restarting the service. For container-deployed instances, the file • Centralizing File Transfer Processes: GoAnywhere
can be replaced with an empty file and then the service can be MFT provides a centralized platform to manage all file
restarted. transfers, reducing the need for development teams to be
B. GoAnywhere Managed File Transfer (MFT) involved in the transfer process.
GoAnywhere Managed File Transfer (MFT) is a secure • Automating File Transfers: It automates repetitive and
software solution that streamlines the exchange of data between complex file transfer tasks, saving time and reducing
systems, employees, customers, and trading partners. It is errors.
designed to centralize, simplify, and automate data movements,
improving security and meeting compliance requirements. • Enhancing Security: The solution offers enterprise-
level security features, helping IT services firms to
GoAnywhere MFT can be deployed in various environments protect sensitive data during transfers.
including on-premises, in the cloud on platforms like Microsoft
Azure and AWS, or within hybrid environments. It is compatible

13
 Read more: Boosty | Sponsr | TG

In the computer software industry, GoAnywhere MFT can • Automating Healthcare Workflows: Automating the
be used to automate and secure file transfers, reducing the need transfer of lab results, billing information, and other
for custom scripts and manual processes. It can also be used to healthcare-related data.
create, edit, and monitor file transfer jobs, and to perform
various workflows and data translations. In the manufacturing industry, GoAnywhere MFT can be
used to automate and secure the transfer of design files,
• Automating Software Distribution: Securely production data, and other sensitive information. It can also be
automating the distribution of software updates and used to integrate with other systems and applications, improving
patches to clients. efficiency and reducing the need for manual processes.
• Collaboration: Enabling secure collaboration • Secure Design File Transfers: Protecting the transfer
between developers, especially when working with of sensitive design and production files.
source code and other sensitive data.
• Supply Chain Integration: Integrating with supply
• Regulatory Compliance: Assisting software chain partners for efficient data exchange.
companies in meeting compliance requirements for
software development and data handling. • Automating Manufacturing Processes: Automating
the transfer of manufacturing data, such as inventory
In the financial services industry, GoAnywhere MFT is used levels, order data, and shipment tracking.
to protect sensitive customer data and meet compliance
requirements. It helps control the exchange of sensitive In the consulting industry, GoAnywhere MFT can be used to
cardholder data and track file movements for easy auditing. For securely transfer sensitive client data and other information. It
example, Sentinel Benefits & Financial Group uses can also be used to automate file transfers, reducing the need for
GoAnywhere MFT to create and edit file transfer jobs, monitor manual processes and improving efficiency.
security, perform various workflows, and complete hundreds of • Client Data Security: Ensuring the secure transfer of
transactions in seconds. sensitive client data during consulting engagements.
• Secure Transactions: Automating and securing • Project Collaboration: Facilitating secure
financial transactions, ensuring sensitive data is collaboration on projects that involve data sharing
protected. between consultants and clients.
• Compliance: Meeting strict compliance requirements • Efficiency and Automation: Automating the exchange
such as PCI DSS for the protection of cardholder data. of data and reports with clients, improving efficiency
• Efficient Data Handling: Streamlining the process of and reducing manual effort.
creating, editing, and monitoring file transfer jobs, as D. Root cause of CVE
demonstrated by Sentinel Benefits & Financial Group.
The root cause of CVE-2024-0204 is identified as CWE-
In the healthcare industry, GoAnywhere MFT can be used to 425: Forced Browsing. This weakness occurs when a web
securely transfer patient data and other sensitive information, application does not adequately enforce authorization on scripts
helping healthcare organizations meet compliance requirements or files, allowing attackers to bypass authentication mechanisms
such as HIPAA. It can also be used to automate file transfers, and gain unauthorized access. Specifically, the vulnerability in
reducing the need for manual processes and improving Fortra's GoAnywhere MFT allows an unauthenticated attacker
efficiency. to create an admin user through the administration portal.
• Patient Data Protection: Securely transferring patient The exploit takes advantage of a path traversal issue, which
health information (PHI) while complying with HIPAA is a type of security vulnerability that allows attackers to access
regulations. files and directories that are stored outside the web root folder.
Attackers can manipulate variables that reference files with dot-
• Secure Patient Data Exchange: Securely exchanging dot-slash (../) sequences and similar methods to access arbitrary
patient data between healthcare providers, insurers, and files and directories stored on the file system. In the case of
other stakeholders. CVE-2024-0204, the path traversal issue allows access to the
• Interoperability: Facilitating the exchange of vulnerable /InitialAccountSetup.xhtml endpoint of the
healthcare data between different systems and GoAnywhere MFT administration portal.
organizations. Once the attacker has access to this endpoint, they can create
• Compliance with Healthcare Regulations: Ensuring an administrative user with all the associated admin read and
that data transfers comply with healthcare regulations write permissions, and command execution capabilities. This
such as HIPAA. effectively bypasses the normal authentication requirements, as
the attacker does not need to provide any valid credentials to
• Automating Healthcare Data Transfers: Automating gain administrative access to the system.
the transfer of electronic health records (EHRs), lab
This vulnerability is particularly risky for customers who
results, and other critical healthcare data.
have an admin portal exposed to the internet, as it makes the
system easily accessible to potential attackers.

14
 Read more: Boosty | Sponsr | TG

E. CVE Impact and affected systems level, combined with the critical severity of the vulnerability,
The impact of CVE-2024-0204 on GoAnywhere MFT users makes it a significant security concern.
is significant due to the critical nature of the vulnerability. Here 1) Attack flow
are the key impacts: The attack flow for CVE-2024-0204, an authentication
• Creation of Unauthorized Admin Users: The bypass vulnerability in Fortra's GoAnywhere MFT, is as
vulnerability allows an unauthenticated attacker to follows:
create an administrative user, which could lead to • Initial Access: The attacker, who is unauthenticated,
unauthorized access to the system accesses the GoAnywhere MFT administration portal.
• Potential for Data Breach: With administrative access, This is possible due to the path traversal issue that the
attackers could potentially access sensitive data, which vulnerability presents
could result in a data breach • Exploitation: The attacker exploits the path traversal
• Malware Deployment: Attackers with admin privileges issue to gain access to the /InitialAccountSetup.xhtml
could deploy malware, including ransomware, which endpoint
could disrupt operations and lead to financial losses • Creation of Admin User: Once the attacker has access
• Complete System Takeover: The creation of admin- to the /InitialAccountSetup.xhtml endpoint, they can
level users could allow attackers to take complete create an administrative user. This user has all the
control of the affected system associated admin read and write permissions, and
command execution capabilities
• Risk of Extortion: Given the ease of exploitation, there
is a risk of extortion, with attackers potentially • Potential Further Exploitation: With administrative
threatening to publish sensitive data unless they receive access, the attacker could potentially access sensitive
payment data, deploy malware, or take complete control of the
system
• Operational Disruption: Unauthorized access and
potential subsequent attacks could disrupt the normal 2) Attack scenario
operations of the affected organizations Potential attack scenarios for CVE-2024-0204 could
include:
• Compliance and Legal Issues: Organizations affected
by a breach resulting from this vulnerability could face • Ransomware Attacks: Given the history of file transfer
compliance issues and legal consequences products being used as gateways for ransomware
attacks, there is a concern that CVE-2024-0204 could be
GoAnywhere MFT has a CVSS score of 9.8 (severity of the exploited in a similar manner. Attackers could use the
vulnerability). It's also worth noting that a proof-of-concept admin access gained through this vulnerability to deploy
exploit for this vulnerability has been made public, which could ransomware, encrypting files and demanding a ransom
potentially make it easier for attackers to exploit this for their decryption
vulnerability.
• Data Exfiltration: Attackers could use the admin access
The difference between a CVSS score of 9.8 and 10.0 to exfiltrate sensitive data. This could include personal
primarily lies in the "Scope" metric within the CVSS scoring data, financial information, or proprietary business data.
system. A CVSS score of 10.0 indicates that the vulnerability The stolen data could be sold on the dark web, used for
has the most severe impact and exploitability metrics, and its identity theft, or used to gain a competitive advantage
impact extends beyond the vulnerable component itself,
affecting other components as well. In contrast, a CVSS score of • System Takeover: With admin access, attackers could
9.8 also represents a vulnerability with the most severe potentially take complete control of the system. This
exploitability and impact metrics, but its impact does not extend could be used to disrupt operations, deploy additional
beyond the vulnerable component. malware, or use the system as a launchpad for further
attacks
In simpler terms, a CVSS score of 10.0 suggests a
vulnerability that can cause more widespread damage across the • Extortion: Attackers could threaten to publish sensitive
system, potentially compromising additional systems beyond data unless they receive payment. This could be
the initial point of exploitation. A score of 9.8, while still critical, particularly damaging for organizations that handle
indicates a vulnerability that is confined to the affected sensitive customer data or proprietary information
component and does not have the ability to impact other parts of
the system. • Sabotage: In a more destructive scenario, attackers
could use the admin access to delete or alter data, disrupt
F. Attack flow and scenario operations, or otherwise sabotage the organization. This
The attack complexity level of CVE-2024-0204 is low. This could result in significant business impacts, including
means that the conditions required to exploit the vulnerability downtime and financial losses
are not difficult to achieve, and the attack can be carried out
consistently without any special conditions. The low complexity

15
 Read more: Boosty | Sponsr | TG

G. Consequences • Full Name: The full name of the individual associated

The potential consequences of an attack exploiting CVE- with the new account.
2024-0204 on GoAnywhere MFT users include: • Permissions: The level of access or roles assigned to the
• Unauthorized Administrative Access: Attackers can new user, in this case, administrative privileges.
create an admin user via the administration portal These parameters are sent in the body of the HTTP POST
without proper authorization, leading to unauthorized request as part of the request payload. The server processes these
access to the system parameters and creates a new user account with the specified
• Data Breach: With admin access, attackers could details.
potentially access, exfiltrate, or manipulate sensitive After running the PoC-script for CVE-2024-0204, the
data, leading to a data breach expected response would be an indication that the script
• System Compromise: Attackers could leverage the successfully created a new administrative user in the
admin access to further compromise the system, GoAnywhere MFT application. The specific details of the
potentially affecting the integrity, availability, and response would depend on the application's behavior upon user
confidentiality of the system and data creation, but generally, you might expect:

• Operational Disruption: The unauthorized access • HTTP Success Response: A status code indicating
could be used to disrupt operations, which could have success (e.g., HTTP 200 OK) from the web server,
significant business impacts, including downtime and signifying that the POST request was successfully
financial losses processed.

• Extortion and Ransomware: There is a risk of • Confirmation Message: A message or JSON

extortion, with attackers threatening to publish sensitive response from the application confirming that the
data unless they receive payment. The vulnerability new administrative user has been created.
could also be used as a gateway for ransomware attacks, • Error Messages: Error messages that would
as seen with previous vulnerabilities in file transfer indicate the request was unsuccessful.
products
• Administrative Access: The ability to log in with
• Reputation Damage: A successful attack could damage the newly created administrative user credentials,
the reputation of the affected organization, leading to confirming that the user has been created with the
loss of customer trust and potential legal consequences expected permissions.
• Compliance Violations: Organizations could face I. Other vulnerabilities related to CVE
regulatory fines and sanctions if the breach results in
Other vulnerabilities that have been discovered in
non-compliance with data protection laws and industry
GoAnywhere MFT include:
regulations
• CVE-2021-46830
H. CVE PoC
The GitHub link https://github.com/horizon3ai/CVE-2024- • CVE-2023-0669
0204/ leads to a Python script, which is a PoC-exploit for the CVE-2021-46830 is a path traversal issue that could
vulnerability. This script, developed by Horizon3.ai, potentially allow an external user who self-registers to access
demonstrates how the authentication bypass vulnerability in unintended areas of the application. It affects versions of
GoAnywhere MFT can be exploited. GoAnywhere MFT prior to 6.8.3.
The script works by sending a POST request to the CVE-2023-0669 is a pre-authentication command injection
/InitialAccountSetup.xhtml endpoint of the GoAnywhere MFT that could be exploited by an arbitrary user. It was specifically a
application. The request includes parameters to create a new concern for customers with an admin portal accessible through
administrative user, effectively bypassing the authentication the internet. Vulnerability involves deserializing untrusted data
mechanism. without proper validation, impacting confidentiality and
1) Scripts parameters integrity.
These parameters include information necessary to create a 1) Attack flow [CVE-2021-46830] and scenario
new user account, such as: Based on the nature of CVE-2021-46830 the attack flow for
• Username: The desired username for the new such a vulnerability involves the following steps:
administrative account. • Discovery: The attacker discovers that the web
• Password: The password for the new account, which application is vulnerable to path traversal due to
must meet the complexity requirements of GoAnywhere inadequate input validation.
MFT. • Exploitation: The attacker crafts a request that includes
• Email Address: The email address associated with the directory traversal sequences (e.g., ../) to navigate from
new administrative account. the web root to directories that should be inaccessible.

16
 Read more: Boosty | Sponsr | TG

• Access: The crafted request allows the attacker to access certain actions that would trigger the vulnerability. This
or execute files that are outside of the intended web- could involve sending a malicious document or link to
accessible directories. the user.
• Impact: Depending on the files or directories accessed, • Malicious Document: The attacker could craft a
the attacker could potentially read sensitive information, document that exploits the vulnerability when opened or
execute unauthorized commands, or leverage the access interacted with by the user. This document could be
to further compromise the system. disguised as a legitimate file to increase the chances of
the user opening it.
For CVE-2021-46830 specifically, the vulnerability allowed
an external user who self-registers to access unintended areas of • Remote Code Execution: If the vulnerability allows for
the GoAnywhere MFT application, which could potentially lead remote code execution, the attacker could potentially
to unauthorized information disclosure or further attacks. execute arbitrary code on the victim's system once the
malicious document is processed.
A potential attack scenario could look like this:
• Privilege Escalation: The attacker could use the
• Initial Access: An attacker identifies a GoAnywhere vulnerability to gain higher privileges on the system,
MFT application that is accessible over the network and potentially leading to a full system compromise.
allows self-registration of users.
• Data Theft or Manipulation: With the ability to
• Exploitation: The attacker self-registers and then execute code, the attacker could steal sensitive data,
manipulates file paths in the application to access manipulate data, or install additional malicious software
directories and files outside of the intended scope. on the system.
• Information Disclosure: The attacker reads files that • Persistence: The attacker could establish a persistent
they should not have access to, potentially gaining presence on the affected system, allowing for continued
access to sensitive information. access and further exploitation.
• Further Attacks: Depending on the nature of the 3) Attack flow and scenario differences
accessed data and the functionality of the application,
In terms of impact, CVE-2024-0204 allows an attacker to
the attacker could potentially use the information gained
bypass authentication and create an admin user, while CVE-
to carry out further attacks.
2021-46830 allows an attacker to traverse directories and access
2) Attack flow [CVE-2023-0669] and scenario or execute files outside of the intended web-accessible
Based on the nature of CVE-2021-46830 the attack flow for directories.
such a vulnerability involve the following steps: In terms of impact, CVE-2024-0204 involves a path traversal
• Reconnaissance: The attacker identifies a issue in a web application that allows an attacker to bypass
vulnerable target system that is accessible and has authentication and create an admin user, while CVE-2023-0669
the specific vulnerability, in this case, CVE-2023- involves a vulnerability that can be triggered by processing a
0669. specially crafted document.

• Crafting the Attack: The attacker creates a In terms of scenario, CVE-2024-0204 involves an attacker
malicious input or payload designed to exploit the gaining full administrative access to the system, while CVE-
vulnerability. 2021-46830 involves an attacker gaining unauthorized access to
certain areas of the application.
• Delivery: The attacker sends the crafted payload to
the target system. This could be through network In terms of scenario, the key difference between the two is
requests, malicious files, or other means depending that CVE-2024-0204 allows for direct administrative access
on the nature of the vulnerability. without the need for user interaction, while CVE-2023-0669
requires a user to interact with a malicious document to trigger
• Exploitation: The payload triggers the the vulnerability. CVE-2024-0204 is a web application
vulnerability, allowing the attacker to execute vulnerability, whereas CVE-2023-0669 involves document
arbitrary code or commands, bypass security handling, likely in a desktop or server context.
mechanisms, or otherwise compromise the system.
4) Impact [CVE-2021-46830]
• Post-Exploitation: After successful exploitation, The impact of CVE-2021-46830 is that it allows an external
the attacker may perform actions such as user who self-registers to access unintended areas of the
establishing persistent access, escalating privileges, GoAnywhere MFT application. This could potentially lead to
stealing data, or spreading to other systems. unauthorized information disclosure or further attacks.
A potential attack scenario for a vulnerability like CVE- The severity of the impact would depend on the specific data
2023-0669, which requires human interaction, could involve: and functionality exposed by the unintended access. For
example, if the accessed areas contain sensitive data, the attacker
• Social Engineering: An attacker might use social could potentially steal this data. If the accessed areas allow the
engineering techniques to trick a user into performing

17
 Read more: Boosty | Sponsr | TG

execution of certain commands or functions, the attacker could to carry out further attacks, potentially leading to a full
potentially use this to further compromise the system. system compromise.
5) Impact [CVE-2023-0669] • Data Manipulation: If the attacker gains write access
The impact of CVE-2023-0669 could include: to certain files or directories, they could potentially
manipulate data, which could have various impacts
• Unauthorized Access: The attacker could potentially depending on the nature of the data and the system's
gain unauthorized access to the system or data, functionality.
depending on the nature of the vulnerability and the
system's configuration. 8) Consequences [CVE-2023-0669]
The potential consequences of CVE-2023-0669 could
• Data Theft: If the vulnerability allows access to data, include:
the attacker could potentially steal sensitive information.
• Unauthorized Access: The attacker could gain
• System Compromise: In some cases, the attacker could unauthorized access to the system, potentially leading to
potentially use the vulnerability to execute arbitrary further exploitation.
code or commands, which could lead to a full system
compromise. • Data Theft: The attacker could steal sensitive data from
the compromised system, which could include personal,
• Denial of Service: If the vulnerability causes the system financial, or proprietary information.
to crash or become unresponsive, it could potentially
lead to a denial of service. • System Compromise: The attacker could execute
arbitrary code, which could lead to a full system
6) Impact diffenences compromise, allowing them to modify, delete, or
CVE-2024-0204 has a more severe impact as it allows an encrypt files.
attacker to gain full administrative access to the system, while
CVE-2021-46830 could potentially lead to unauthorized • Malware Deployment: The attacker could use the
information disclosure or further attacks. vulnerability to deploy malware, including ransomware
or a backdoor, to maintain persistent access to the
CVE-2024-0204 has a more severe impact as it allows an system.
attacker to gain full administrative access to the system, while
the impact of CVE-2023-0669 would depend on the nature of • Denial of Service: The attacker could disrupt services
the vulnerability and the system's configuration. by crashing the system or consuming resources, leading
to a denial of service.
7) Consequences [CVE-2021-46830]
The potential consequences of an attack exploiting this • Privilege Escalation: If the vulnerability allows, the
vulnerability could include: attacker could escalate their privileges on the system,
gaining higher levels of control.
• Unauthorized Access: An attacker could potentially
gain unauthorized access to directories and files outside 9) Consequences diffenences
of the intended scope. This could lead to unauthorized CVE-2024-0204 could lead to a full system compromise due
access to sensitive information or system resources. to unauthorized administrative access, while CVE-2021-46830
could lead to unauthorized access to certain areas of the
• Information Disclosure: The attacker could potentially application and potential information disclosure.
read files that they should not have access to, leading to
the disclosure of sensitive information. Both vulnerabilities could lead to a full system compromise,
but they do so in different ways. CVE-2024-0204 involves
• System Compromise: Depending on the nature of the unauthorized administrative access to a web application, while
accessed data and the functionality of the application, CVE-2023-0669 involves remote code execution, potentially
the attacker could potentially use the information gained through a path traversal flaw.

18
 Read more: Boosty | Sponsr | TG

STAR BLIZZARD
IV.

PHISHING ATTACKS

19
 Read more: Boosty | Sponsr | TG
company, especially those who have access to valuable
data or systems
• Specific organizations: Organizations themselves can
be targets of spear-phishing campaigns, especially those
in sectors like government, defense, academia, and non-
governmental organizations (NGOs)
• Social media users: Spear-phishers often use social
media and other publicly available sources to gather
information about potential targets
Recent years have seen a variety of spear phishing attacks,
some of which include:
• Fake Websites: Attackers create counterfeit websites
that mimic legitimate ones to deceive individuals into
entering their personal information
• CEO Fraud: This involves impersonating a high-level
executive and sending emails to employees, often in the
finance department, to authorize wire transfers to
fraudulent accounts
• Malware: Emails with malicious attachments or links
that install malware on the victim's device when opened
A. Introduction • Smishing and Vishing: These are forms of spear
Star Blizzard, also known as the Callisto Group, phishing via SMS (smishing) or voice calls (vishing),
SEABORGIUM, BlueCharlie, TA446, COLDRIVER, and where attackers pose as legitimate entities to extract
TAG-53 is known for targeting governmental organizations, personal details or financial information
defense industry, academia, think tanks, NGOs, politicians, and Spear phishing campaigns use various tactics to increase
others in the U.S., UK, other NATO countries, and countries their success rate:
neighboring Russia.
• Target Selection: Attackers choose individuals or
Star Blizzard's spear-phishing campaigns typically involve organizations with potential access to valuable data or
sending spoofed emails that appear to be from legitimate financial gain
individuals or organizations. These emails are designed to trick
victims into providing their email account credentials, which the • Reconnaissance: Extensive research is conducted on
group then uses to gain unauthorized, persistent access to the the target to gather personal information, job roles, and
victims' email accounts. Once they gain access, Star Blizzard is interests
known to set up mail forwarding rules, granting them ongoing • Personalization: Emails are crafted using the target's
visibility of a victim’s correspondence and contact lists, and specific information to appear credible and relevant
using this information for follow-on targeting and phishing
activities. • Urgency and Pressure: Messages often convey a sense
of urgency or pressure to prompt immediate action from
B. Common targets of spear-phishing attacks the target
Spear-phishing campaigns typically target specific • Shared Interests: Attackers may exploit known
individuals or organizations with the goal of stealing sensitive interests of the target to create a convincing pretext for
information such as login credentials or infecting systems with the email
malware. The targets are often carefully researched to increase
the likelihood of a successful attack. Here are some common • Authority: Impersonating someone in a position of
targets: authority or a known contact to elicit trust and
compliance
• High-ranking officials within organizations: These
individuals often have access to sensitive information, C. Targets of Star Blizzard Campaigns
making them attractive targets for spear-phishing Star Blizzard has targeted a variety of sectors and individuals
campaigns since 2019, including:
• Individuals involved in confidential operations: • Academia: Educational institutions and individuals
People who handle sensitive data or operations within a associated with research or possessing valuable
company are often targeted due to the valuable intellectual property
information they can provide
• Specific employees within a company: Spear-phishing
campaigns may target specific employees within a

20
 Read more: Boosty | Sponsr | TG

• Defense: Entities within the defense sector, including Common IOCs associated with Star Blizzard's spear-
contractors and suppliers to the military and defense phishing campaigns include:
industry
• Unauthorized access to personal and corporate email
• Governmental Organizations: Various government accounts
agencies and departments that have access to sensitive
national security information • Setting up of mail-forwarding rules, which gives them
ongoing visibility of a victim’s correspondence and
• Non-Governmental Organizations (NGOs): These contact lists
organizations may be targeted for their involvement in
sensitive political, social, or humanitarian activities • Access to mailing list data and a victim’s contacts list,
which they then use for follow-on targeting
• Think Tanks: Organizations that perform research and
advocacy on topics such as social policy, political • Use of compromised email accounts for further phishing
strategy, economy, military, technology, and culture activity

• High-Profile Individuals: Politicians and other • Use of the open-source framework Evilginx in their
individuals who may have access to confidential spear-phishing campaigns, which allows them to harvest
information or influence over important decisions credentials and session cookies to bypass the use of two-
factor authentication
Specific Targets of Star Blizzard's Spear-Phishing
Campaigns: 4) Common File Types Included in Star Blizzard's Spear-
Phishing Emails
• Personal Email Addresses: They have predominantly Star Blizzard often includes malicious attachments in their
sent spear-phishing emails to targets' personal email spear-phishing emails and use file types such as PDFs, Word
addresses, which may have less stringent security documents (.doc, .docx), Excel spreadsheets (.xls, .xlsx), or
controls than corporate or business email addresses other types of files that can contain embedded scripts or macros
• Corporate or Business Email Addresses: They have
also used targets' corporate or business email 5) Common Domains or URLs Used in Star Blizzard's Spear-
addresses, indicating a comprehensive approach to Phishing Campaigns
targeting both personal and professional aspects of Star Blizzard has been known to use URLs that mimic
their victims' lives legitimate file-sharing services. Some of the URLs look like this:
• Mailing List Data and Contacts: By gaining access to • https://drive.google.com/file/d/XXXXXXXXXXXXX
a victim's email account, they have accessed mailing X/view?usp=sharing
list data and a victim's contacts list, which they then use
• https://onedrive.live.com/?authkey=%XXXXXXXXX
for follow-on targeting and further phishing activities XXXXXXXXXXXXXXXXX%XXXX&cid=8XXXX
• Compromised Email Accounts: These are used for XXXXX9B7
additional phishing activity, indicating a cycle of • https://www.dropbox.com/s/XXXXXXXXXXXXX/St
compromise and exploitation that can self-perpetuate ar_Blizzard_Report.pdf?dl=0
and expand the scope of their campaigns
These URLs may look legitimate, but they are actually
1) Common Themes or Subjects in Star Blizzard's Spear- designed to trick victims into entering their credentials or
Phishing Emails downloading malicious files
Star Blizzard's spear-phishing emails often revolve around
topics of interest to the target, which they identify through D. Techniques of Star Blizzard Campaigns
extensive research using open-source resources, including social 1) Specific Techniques Used by Star Blizzard in Their Spear-
media and professional networking platforms. They may Phishing Campaigns
impersonate known contacts of their targets or respected experts Star Blizzard uses a variety of techniques in their spear-
in the field, and create email accounts and fake social media or phishing campaigns:
networking profiles to engage their targets.
• Targeted Emails: They predominantly send spear-
2) Common Attachments or Links Included in Star Blizzard's phishing emails to targets' personal email addresses,
Spear-Phishing Emails although they have also used targets' corporate or
Star Blizzard's spear-phishing emails often contain business email addresses
malicious links or attachments. These are designed to trick the
victim into providing their email account credentials, which the • Impersonation: They create email accounts
group then uses to gain unauthorized, persistent access to the impersonating known contacts of their targets. They also
create fake social media or networking profiles that
victims' email accounts. They also create malicious domains that impersonate respected experts
resemble legitimate organizations.
• Malicious Domains: They create malicious domains
3) Common Indicators of Compromise (IOCs) Associated resembling legitimate organizations
with Star Blizzard's Spear-Phishing Campaigns

21
 Read more: Boosty | Sponsr | TG

• Evilginx: Star Blizzard actors use the open-source 1) Server-side scripts

framework Evilginx in their spear-phishing campaigns, Star Blizzard has started using server-side scripts to prevent
which allows them to harvest credentials and session automated scanning of their actor-controlled servers. This tactic
cookies to bypass the use of two-factor authentication is an interesting approach that enhances their evasion
• Mail Forwarding: After compromising the target's capabilities.
credentials, Star Blizzard sets up mail forwarding rules Server-side scripts are scripts that run on the server, as
to establish ongoing visibility of a victim’s opposed to client-side scripts that run in the user's browser. By
correspondence and contact lists using server-side scripts, Star Blizzard can control what
2) Common Social Engineering Techniques Used by Star information is sent to the client and what is kept on the server,
Blizzard making it harder for automated scanning tools to detect
Star Blizzard's social engineering techniques include: malicious activity.

• Research and Preparation: They conduct extensive The use of server-side scripts is part of a shift in tactics by
research using social media and professional networking Star Blizzard, demonstrating their adaptability and
platforms to identify topics of interest to engage their sophistication in evasion techniques. This tactic, along with
target others such as the use of email marketing platforms, password-
protected PDF lure documents, and the use of compromised
• Impersonation: They create email accounts and fake victim email accounts, has allowed Star Blizzard to continue its
social media or networking profiles impersonating spear-phishing campaigns with increased stealth.
known contacts or respected experts
Here are some examples of functions that these server-side
• Building Rapport: By leveraging the information scripts might perform:
gathered, they build a rapport with the target to make
their spear-phishing attempts more convincing • Collect and Send User Data: In April 2023, Star
Blizzard was observed moving away from using
• Email Delivery: The emails are crafted to appear hCaptcha servers as the sole initial redirection. Instead,
legitimate and relevant to the target's interests or they started executing JavaScript code titled 'Collect and
responsibilities, often containing malicious links or Send User Data' before redirecting the user
attachments
• Refining the JavaScript Code: In May 2023, the threat
• PDF Lures: The PDF file sent by Star Blizzard is actor refined the JavaScript code, resulting in an updated
typically unreadable, with a prominent button version titled 'Docs', which is still in use today
purporting to enable reading the content. Pressing the
button causes the default browser to open a link • Assessing the User's Environment: The server-side
embedded in the PDF, leading to a credential-stealing JavaScript code is used to assess the user's environment.
This information can be used to tailor the attack to the
E. New Tactics, Techniques, and Procedures (TTPs) and specific user, increasing the chances of success
Evasion Techniques of Star Blizzard
The functions pluginsEmpty(), isAutomationTool(), and
Star Blizzard has notably enhanced its ability to evade
sendToBackend(data) are examples of the methods used in these
detection since 2022, focusing on improving its detection
scripts.
evasion capabilities. It was identified five new Star Blizzard
evasive techniques: • pluginsEmpty(): This function checks if the plugins
property of the navigator object is empty. Automated
• Use of Email Marketing Platforms: Star Blizzard has scanning tools often do not emulate plugins, so this
begun to utilize email marketing services like Mailerlite function can help Star Blizzard identify and ignore such
and HubSpot for directing phishing campaigns tools.
• Password-Protected PDF Lure Documents: To aid in • isAutomationTool(): This function checks for signs
sneaking past email filters, Star Blizzard has started that the client is an automated tool rather than a human
using password-protected PDF lure documents user. This could involve checking for specific user agent
• Use of Compromised Victim Email Accounts: They strings, the presence of certain JavaScript properties, or
often use compromised victim email accounts to the speed of interactions.
conduct spear-phishing activity against contacts of the • sendToBackend(data): This function sends collected
original victim data back to the server. The data could include the
• Malicious Links in Email Attachments: They use results of the previous checks or other information about
malicious links embedded in email attachments to direct the client's environment. This information can be used
victims to their credential-stealing sites to tailor the attack to the specific user, increasing the
chances of success.
• Use of Compromised Credentials: Star Blizzard has
been observed using compromised credentials, captured 2) Email marketing platform services
from fake log-in pages, to log in to valid victim user Star Blizzard has begun to utilize email marketing services
accounts like Mailerlite and HubSpot for directing its phishing
campaigns. These platforms allow the threat actor to create an

22
 Read more: Boosty | Sponsr | TG

email campaign, which provides them with a dedicated PDFs are stored. The use of legitimate file-sharing
subdomain on the service that is then used to create URLs. These services can lend an air of credibility to the phishing
URLs act as the entry point to a redirection chain ending at actor- attempt and may also evade detection by security systems
controlled servers. that trust content hosted on these platforms.
The use of these services offers several advantages to the The PDFs often contain a call to action, such as a button or
threat actor. Firstly, emails sent through these platforms may be link, which when clicked, redirects the user to a malicious site
less likely to be flagged as spam or malicious by email filters, as designed to steal credentials or other sensitive information. This
they come from reputable services. Secondly, these platforms technique is effective because it exploits the user's trust in
often provide tracking capabilities, allowing the threat actor to familiar file-sharing services and the expectation of receiving
monitor the success of their campaigns. legitimate documents.
Most Star Blizzard HubSpot email campaigns have targeted F. attacks impact
multiple academic institutions, think tanks, and other research Microsoft did fall victim to a cyberattack by threat actor
organizations using a common theme, aimed at obtaining their known as Blizzard, also referred to as Nobelium, APT29, or
credentials for a US grants management portal. Cozy Bear. The attack was detected on January 12, 2024, and
began in late November 2023.
3) DNS provider
Star Blizzard has been using a Domain Name Service (DNS) The threat actor used a password spray attack to compromise
provider to resolve actor-controlled domain infrastructure. This a legacy non-production test tenant account and gain a foothold.
tactic allows the threat actor to manage and control the domains They then used the account's permissions to access a very small
used in their attacks. percentage of Microsoft corporate email accounts, including
members of the senior leadership team and employees in
The use of a DNS provider offers several advantages to the
cybersecurity, legal, and other functions.
threat actor. Firstly, it allows them to set up new domains
quickly and easily for their attacks. Secondly, it can make it The attackers exfiltrated some emails and attached
harder for defenders to block or take down the domains, as they documents, and the investigation indicates they were initially
are managed by a third-party service. targeting email accounts for information related to Blizzard
itself. The attack was not the result of a vulnerability in
4) Randomizing DGA for actor registered domains Microsoft products or services, and there is no evidence that the
Star Blizzard has been using Domain Generation Algorithms threat actor had any access to customer environments,
(DGAs) to randomize the domain names for their infrastructure. production systems, source code, or AI systems.
DGAs are algorithms that generate a large number of domain
names, which can be used as rendezvous points for command- 1) Actions Taken by Microsoft in Response to the Blizzard
and-control (C&C) servers or for other malicious purposes. Cyberattack and Secure Future Initiative
The use of DGAs makes it difficult for security teams and In response to the Blizzard cyberattack, Microsoft took
automated systems to predict and block malicious domains immediate action to investigate, disrupt malicious activity,
because the domains change frequently and can appear random. mitigate the attack, and deny the threat actor further access. They
This technique is a form of domain fluxing, which helps the have begun notifying employees whose email accounts were
threat actor evade detection by blocklists, signature filters, compromised during the attack.
reputation systems, and other security controls. Microsoft assured staff and the world that the attack was not
By using a DGA, Star Blizzard can systematically switch due to any specific vulnerability in Microsoft products or
between domains during their attacks, making it harder for services, and there is no evidence that the threat actor had any
defenders to track and remove these domains. This tactic is part access to customer environments, production systems, source
of their sophisticated approach to maintaining their malicious code, or AI systems.
operations and avoiding disruption by cybersecurity measures. Microsoft announced that they will apply their current
security standards to Microsoft-owned legacy systems, even
5) Password-protected PDF lures or links to cloud-based file-
when these changes might cause disruption to existing business
sharing platforms processes. They also plan to make significant changes to their
Star Blizzard has been using password-protected PDF lure internal security practices.
documents or links to cloud-based file-sharing platforms as part
of their spear-phishing campaigns. These tactics serve multiple Microsoft's response underscores its commitment to
purposes: addressing the threat posed by nation-state actors like Blizzard
and its commitment to responsible transparency as recently
• Password-Protected PDF Lure Documents: By using affirmed in their Secure Future Initiative (SFI).
password-protected PDFs, Star Blizzard can bypass some
automated email scanning systems that cannot analyze The Secure Future Initiative (SFI) is a program introduced
the content of encrypted documents. The passwords for by Microsoft in November 2023. The SFI rests on three key
these documents are typically provided in the same pillars:
phishing email or in a follow-up email.
• The development of AI-based cyber defenses.
• Links to Cloud-Based File-Sharing Platforms: These
links lead to cloud-based platforms where the protected • Advancements in fundamental software engineering.

23
 Read more: Boosty | Sponsr | TG

• A strategic shift in the balance between security and • Review Permissions: Review any applications that hold
business risk, acknowledging that the traditional EWS.AccessAsUser.All and EWS.full_access_as_app
calculus is no longer sufficient permissions. Remove them if they are no longer
required.
G. Defense (Microsoft Advisory)
1) Defense and protection guidance • Role-Based Access Control: Implement granular and
scalable role-based access control for applications in
In response to the ' Blizzard' cyberattack, Microsoft has Exchange Online to ensure they are only granted access
provided guidance for defense and protection against such to the specific mailboxes required.
nation-state attacks. This guidance includes:
Protect Against Password Spray Attacks
• Multi-Factor Authentication (MFA): Microsoft
emphasized the importance of enabling MFA, as the test • Eliminate Insecure Passwords: Encourage the use of
tenant account compromised in the attack did not have strong, unique passwords and eliminate common or
MFA enabled. weak passwords that are easily guessable.
• Monitoring OAuth Applications: Threat actors like • Educate Users: Train users to review sign-in activity
Blizzard often use OAuth applications to help hide their and report suspicious attempts as "This wasn't me".
activities. Microsoft recommends monitoring for
suspicious OAuth applications and revoking any that are • Reset Compromised Passwords: Reset passwords for
not recognized or needed. any accounts targeted during a password spray attack,
and investigate further if those accounts had system-
• Awareness of Social Engineering Attacks: Microsoft level permissions.
Threat Intelligence has identified highly targeted social
engineering attacks using credential theft phishing lures • Use Microsoft Entra ID Protection: Detect,
sent as Microsoft Teams chats by Blizzard. Awareness investigate, and remediate identity-based attacks with
and training can help users recognize and avoid these solutions like Microsoft Entra ID Protection.
attacks.
• Microsoft Purview Audit: Investigate compromised
• Network Traffic Analysis: Blizzard used residential accounts using Microsoft Purview Audit (Premium).
proxy networks to launch their attacks, routing traffic
through a vast number of IP addresses also used by • Enforce Password Protection: Use Microsoft Entra
legitimate users. Monitoring and analyzing network Password Protection for Microsoft Active Directory
traffic for suspicious patterns can help detect such Domain Services on-premises.
activities.
• Risk Detections for User Sign-Ins: Utilize risk
• Regular Patching and Updating: Keeping systems and detections to trigger multifactor authentication or
software up-to-date is crucial in defending against password changes.
attacks that exploit known vulnerabilities.
• Password Spray Investigation Playbook: Investigate
Defend Against Malicious OAuth Applications
any potential password spray activity using the
• Audit Privilege Levels: Use the Microsoft Graph Data password spray investigation playbook.
Connect authorization portal to audit the privilege level
of all identities, both users and service principals, in 2) Detection and hunting guidance
your tenant. Scrutinize privileges, especially if they In the wake of the Blizzard cyberattack, Microsoft has
belong to unknown identities, are attached to identities provided detailed guidance for detection and hunting of such
no longer in use, or are excessive. threats. Hunting for Indicators of Compromise
• Review ApplicationImpersonation Privileges: Audit • Log Data Analysis: Microsoft has provided detailed
identities with ApplicationImpersonation privileges in guidance on what to look for in log data to hunt and
Exchange Online, as these allow a service principal to detect malicious activity associated with Blizzard
impersonate a user. Use the PowerShell command Get-
ManagementRoleAssignment -Role • Posture Management Tools: These tools can help
ApplicationImpersonation -GetEffectiveUsers to review organizations inventory all non-human identities and
these permissions. highlight unused OAuth applications, especially those
with over-permissive access to impersonate every user
• Identify Malicious OAuth Apps: Use anomaly when authenticating to Office 365 Exchange.
detection policies to detect malicious OAuth apps that
make sensitive Exchange Online administrative Microsoft's detection and hunting guidance for the Blizzard
activities. Investigate and remediate any risky OAuth cyberattack involves reviewing Exchange Web Services (EWS)
apps through App governance. activity and using Microsoft Entra ID Protection, which has
several relevant detections that help organizations identify these
• Conditional Access App Control: Implement techniques or additional activity that may indicate anomalous
conditional access app control for users connecting from
unmanaged devices to monitor and control how they activity. The use of residential proxy network infrastructure by
access cloud apps. threat actors is generally more likely to generate Microsoft Entra

24
 Read more: Boosty | Sponsr | TG

ID Protection alerts due to inconsistencies in patterns of user • App metadata associated with suspicious mail-related
behavior compared to legitimate activity. activity – This detection generates alerts for non-
Microsoft OAuth apps with metadata, such as name,
Microsoft Entra ID Protection alerts that can help indicate URL, or publisher, that had previously been observed in
threat activity associated with this attack include: apps with suspicious mail-related activity. This app might
• Unfamiliar sign-in properties: This alert flags sign-ins be part of an attack campaign and might be involved in
from networks, devices, and locations that are exfiltration of sensitive information.
unfamiliar to the user. • Suspicious user created an OAuth app that accessed
• Password spray: This risk detection is triggered when mailbox items – A user that previously signed on to a
a password spray attack has been successfully medium- or high-risk session created an OAuth
performed. application that was used to access a mailbox using sync
operation or multiple email messages using bind
• Threat intelligence: This alert indicates user activity operation. An attacker might have compromised a user
that is unusual for the user or consistent with known account to gain access to organizational resources for
attack patterns. further attacks.
• Suspicious sign-ins (workload identities): This alert The following XDR alert can indicate associated activity:
indicates sign-in properties or patterns that are unusual
for the related service principal. • Suspicious user created an OAuth app that accessed
mailbox items – A user who previously signed in to a
3) XDR and SIEM alerts and protection medium- or high-risk session created an OAuth
Microsoft Defender for Cloud Apps and Microsoft Defender application that was used to access a mailbox using sync
XDR also provide alerts that can help indicate associated threat operation or multiple email messages using bind
activity. These alerts include indications of a significant increase operation. An attacker might have compromised a user
in calls to the Exchange Web Services API, suspicious metadata account to gain access to organizational resources for
associated with mail-related activity, and the creation of an further attacks
OAuth application that accessed mailbox items. Extended Detection and Response (XDR) and Security
Microsoft Defender XDR and Microsoft Sentinel customers Information and Event Management (SIEM) systems can
can also use specific hunting queries and analytic rules to find provide alerts and protection against malicious activities such as
related activity in their networks. These include queries to find those carried out by the Blizzard threat group.
sign-ins by a labeled password spray IP and rules to identify Microsoft Defender for Cloud Apps can generate alerts for
password spray attempts, the granting of full_access_as_app various suspicious activities, including:
permission to an OAuth application, and the addition of services
principal/user with elevated permissions • An app with application-only permissions accessing
numerous emails.
Once an actor decides to use OAuth applications in their
attack, a variety of follow-on activities can be identified in alerts • An increase in app API calls to Exchange Web Services
to help organizations identify and investigate suspicious activity. (EWS) , especially after a credential update.

The following Microsoft Defender for Cloud Apps alerts can • App metadata associated with suspicious mail-related
help indicate associated threat activity: activity.
• A suspicious user creating an OAuth app that accessed
• App with application-only permissions accessing
mailbox items.
numerous emails – A multi-tenant cloud app with
application-only permissions showed a significant • XDR can also generate an alert when a suspicious user
increase in calls to the Exchange Web Services API creates an OAuth app that accesses mailbox items.
specific to email enumeration and collection. The app
might be involved in accessing and retrieving sensitive According to MS guidance these alerts can help
email data. organizations identify and investigate suspicious activities
related to OAuth applications, which are often used in attacks
• Increase in app API calls to EWS after a credential update like those carried out by Blizzard.
– This detection generates alerts for non-Microsoft
OAuth apps where the app shows a significant increase in • To detect password spray attacks, security teams can use
calls to Exchange Web Services API within a few days various hunting queries that analyze log data for signs of
after its certificates/secrets are updated or new credentials such attacks. Here are some examples of hunting queries
are added. and techniques that can be used:
• Increase in app API calls to EWS – This detection • Failed Authentication Attempts Across Multiple
generates alerts for non-Microsoft OAuth apps that Accounts: Look for sudden spikes in the number of
exhibit a significant increase in calls to the Exchange failed login attempts or locked accounts, which can
Web Services API. This app might be involved in data indicate a password spray attack
exfiltration or other attempts to access and retrieve data.
• Sign-in Attempts from Suspicious Locations:
Monitor sign-in attempts from locations that are unusual

25
 Read more: Boosty | Sponsr | TG
for the user, as attackers may use IP addresses from login attempts across all systems. This will help you
different geographic regions detect those tell-tale signs of password spraying attacks
in the future
• Unusual Sign-in Times: Password spray attacks often
occur at odd hours when fewer users are likely to be • Monitoring and Logging: These are some of the best
active, so monitoring for authentication attempts during proactive ways to detect password-spraying attacks.
these times can be useful They help to detect failed login attempts and inform the
IT Administrator accordingly. For example, if there are
• Low and Slow Attack Indicators: Detect password 5 unsuccessful login attempts, the password policy locks
spray attacks that attempt to stay under the radar by not out the user account, and the network monitoring
triggering account lockouts or bad password thresholds solution triggers an alarm to the IT Administrator
• Advanced Hunting Queries: Use a query-based threat • SIEM (Security Information and Event
hunting tool like Microsoft Defender's Advanced Management): In case there is unusual behavior in your
Hunting to inspect events in your network and gather organization, your SIEM will pick it up. SIEM solutions
more information related to password spray alerts aggregate and analyze event data in real time from
• Alert Classification: Check whether the user received network devices, servers, domain controllers and more,
other alerts before the password spray activity, such as providing security intelligence for real-time analysis of
impossible travel alerts, activity from infrequent security alerts generated by applications and network
countries/regions, or suspicious email deletion activity hardware
Here are some hunting queries provided by Microsoft: Organizations can use OAuth application permissions to
detect potential security vulnerabilities in several ways:
// Find sign-ins by a labeled password spray IP • Investigate, Remediate Risky OAuth Apps:
IdentityLogonEvents Organizations can use tools like Microsoft Defender for
| where Timestamp between (startTime .. endTime) Cloud Apps to investigate and remediate risky OAuth
| where isnotempty(IPTags) and not(IPTags apps. This involves scrutinizing apps that have not been
has_any('Azure','Internal Network IP','branch office')) updated recently, apps that have irrelevant permissions,
| where IPTags has_any ("Brute force attacker", "Password and apps that appear suspicious based on their name,
spray attacker", "malicious", "Possible Hackers") publisher, or URL. OAuth app audit can be exported for
further analysis of the users who authorized an app
// Find MailItemsAccessed or SaaS actions performed by a • Create Policies to Control OAuth Apps:
labeled password spray IP Organizations can set permission policies to get
CloudAppEvents automated notifications when an OAuth app meets
| where Timestamp between (startTime .. endTime) certain criteria. For example, alerts can be set up for apps
| where isnotempty(IPTags) and not(IPTags that require a high permission level. OAuth app policies
has_any('Azure','Internal Network IP','branch office')) enable organizations to investigate which permissions
| where IPTags has_any ("Brute force attacker", "Password each app requested and which users authorized those
spray attacker", "malicious", "Possible Hackers") permissions
Network traffic analysis can be a powerful tool in detecting • Identify Vulnerabilities in OAuth Implementation:
password spray attacks: Vulnerabilities can arise in the client application's
implementation of OAuth as well as in the configuration
• Intrusion Detection Systems (IDS): IDS tools monitor of the OAuth service itself. Identifying and exploiting
network traffic and flag suspicious login activities. They these vulnerabilities can help organizations protect their
analyze login attempts, account lockouts, and own applications against similar attacks
authentication failures to identify potential password
spraying attacks • Monitor for Malicious OAuth Applications: Threat
actors can misuse OAuth applications to automate
• Security Monitoring: Continuous monitoring of user financially driven attacks. Monitoring for such misuse
login activities and abnormal patterns can help identify can help organizations detect and respond to potential
potential attacks. Monitoring tools can track login security vulnerabilities. For example, Microsoft
attempts from unusual locations, or at unusual times, provides queries that can be used to identify high
which could indicate a password spraying attack outbound email senders and suspicious email events
• User Behavior Analysis: Analyzing user behavior can • Understand the Impact of Malicious OAuth
help detect suspicious activities. Deviations from Application Consent: If a user grants access to a
normal behavior, such as login attempts outside of malicious third-party application, the application can
regular working hours or simultaneous login attempts access the user's data and perform actions on their
from multiple locations, can be red flags for password behalf. Understanding the impact of such actions can
spraying attacks help organizations develop strategies to detect and
• Configure Security Password Settings: If your mitigate potential security vulnerabilities
organization utilizes a Security Logging Platform,
ensure that it's configured to identify or detect failed

26
 Read more: Boosty | Sponsr | TG

V. DARKPINKAPT

27
 Read more: Boosty | Sponsr | TG
• October 2022: An unsuccessful attack is launched
against a European state development agency operating
in Vietnam.
• January-April 2023: New modules are uploaded to a
GitHub account associated with the group, suggesting
ongoing development of their toolset
B. Primary Objectives of Dark Pink APT Group
This part discusses the main goals of the Dark Pink APT,
which include corporate espionage, document theft, and data
exfiltration. It also mentions the group's links to a GitHub
account where they store PowerShell scripts, ZIP archives, and
custom malware. The primary objectives of the Dark Pink APT
group include:
• Corporate Espionage: One of the main goals of the
Dark Pink APT group is to conduct corporate espionage,
which involves stealing sensitive information from
corporations for competitive advantage or other
malicious intent
• Document Theft: The group is actively engaged in the
theft of documents, which likely contain confidential
and proprietary information, from their targets
• Audio Surveillance: Dark Pink has the capability to
capture audio through the microphones of compromised
A. Introduction devices, which can be used for eavesdropping on private
Advanced persistent threat (APT) attacks spreading conversations and meetings
throughout the Asia-Pacific (APAC) region, attributed to a
group known as Dark Pink, also referred to as the Saaiwc Group • Data Exfiltration from Messaging Platforms: The
began as early as mid-2021, but escalated significantly in the group also focuses on exfiltrating data from various
latter part of 2022. Many of these attacks were directed at APAC messaging platforms, indicating an interest in personal
countries, but the threat actors also expanded their scope to communications and potentially sensitive information
target a European governmental ministry. shared through these channels
In October 2022, Dark Pink initiated an unsuccessful attack • Geographical Focus: While the majority of Dark Pink's
against a European state development agency operating in attacks have been directed at countries in the Asia-
Vietnam. The group employs a variety of tools and custom-built Pacific region, they have also targeted a European
malicious software designed for data theft and espionage. A governmental ministry, showing an expansion in their
significant part of Dark Pink's success can be attributed to the geographical scope
spear-phishing emails used to gain initial access. These emails • Victim Profile: Confirmed victims include military
contain a shortened URL linking to a free-to-use file sharing site, organizations in the Philippines and Malaysia,
where the victim is presented with the option to download an government agencies in Cambodia, Indonesia, and
ISO image that contains all the files needed for the threat actors Bosnia and Herzegovina, as well as a religious
to infect the victim’s network. organization, demonstrating the group's interest in high-
Dark Pink APT attacks are characterized by their value and diverse targets
sophistication and versatility. The group uses spear-phishing
emails as the initial access vector, luring victims into • Spear-Phishing for Initial Access: A significant factor
downloading a malicious ISO image. The group employs a suite in the success of Dark Pink's operations is the use of
of customized malware tools to execute their attacks. They also spear-phishing emails that contain a shortened URL.
use advanced techniques to evade detection. This URL leads victims to a file-sharing site where they
are tricked into downloading an ISO image containing
The consequences of a successful Dark Pink APT attack can malicious files necessary for network infection
be devastating for the affected organization and potentially for
national security, given the high-profile nature of their targets. • Evolution of Exfiltration Techniques: Dark Pink has
The group's advanced persistence mechanisms allow them to evolved its data exfiltration techniques, moving from
maintain access to a victim’s network for a long period of time, using email and public cloud services like Dropbox to
enabling them to continue to exfiltrate data and potentially cause employing the HTTP protocol and a Webhook service
further damage. in more recent attacks
Timeline of Dark Pink APT Group's Operations C. Tools Used by Dark Pink APT Group
This section introduces the tools widely used by Dark Pink
• Mid-2021: The Dark Pink APT group's activities are APT Group to attack, gain access and exfiltrate data from
first observed. devices across the world.
• 2022: Their operations escalate, particularly in the latter
part of the year. 1) Tools Used by Dark Pink APT Group

28
 Read more: Boosty | Sponsr | TG
The Dark Pink APT group utilizes a suite of customized • Public Services: Publicly available cloud services such
malware tools in their attacks, primarily relying on spear- as Dropbox have been used by Dark Pink for data
phishing emails to gain access to their targets' networks. exfiltration
Notably, they use TelePowerBot and KamiKakaBot, which are
designed to exfiltrate sensitive data from compromised hosts. • Use of Email and Cloud Services: In previous attacks,
They have been linked to a new version of the KamiKakaBot the group sent stolen information via email or utilized
malware, which is delivered via phishing emails containing a public cloud services like Dropbox for data exfiltration.
malicious ISO file. This file contains a WinWord.exe file, which This indicates that they leveraged commonly used
is used to stage a dynamic link library (DLL) sideloading attack. communication and storage platforms to move data out of
The group has also been found to use legitimate MsBuild.exe to compromised networks
run the KamiKakaBot malware on victims' devices. The • Shift to HTTP Protocol and Webhook Service: More
malware's obfuscation technique has improved to better evade recently, Dark Pink has shifted to using the HTTP protocol
anti-malware measures, and it uses an open-source .NET and a Webhook service to exfiltrate stolen data. This change
obfuscation engine to hide itself. The group also uses a special in tactics could be an attempt to evade detection by security
messenger exfiltration utility named ZMsg, which is systems that are more focused on traditional exfiltration
downloaded from GitHub and used to steal communications methods
from Viber, Telegram, and Zalo.
In addition to these, Dark Pink has been found to use DLL • Evolution of Tactics: The evolution from using email
side-loading and event-triggered execution methods to run its and cloud services to HTTP and Webhook services suggests
payloads. They also employ a variety of techniques and services that Dark Pink is continuously refining its exfiltration
for data exfiltration, including email, public cloud services like methods to stay ahead of cybersecurity defenses
Dropbox. As mentioned above The Dark Pink APT group uses
Telegram and a service called Webhook for data exfiltration.
2) Modifications Made to the Tools Used by Dark Pink APT
Group Telegram: Dark Pink uses Telegram for both command-
The group has links to a GitHub account where they store and-control and data exfiltration. The group has been observed
PowerShell scripts, ZIP archives, and custom malware designed to use a Telegram bot for executing commands and managing
for future deployment on targeted devices. They have also been data theft. The stolen data is often sent to a Telegram chat in a
observed exploiting the WinRAR 0-Day vulnerability (CVE- zip archive. This method provides a secure and encrypted
2023-38831) in their attacks to execute malicious unauthorized channel for data exfiltration, making it harder for security
code. They have been exploiting this vulnerability by systems to detect and block the data transfer
embedding malicious executables within commonly used file Webhook: Dark Pink has also been observed to use a service
types, such as PDFs and JPGs, within ZIP archives. This tactic called Webhook.site for data exfiltration. Webhook.site is a
allows attackers to install malware on a user's device without service that allows users to create temporary endpoints to
arousing suspicion, as the victim believes they are interacting capture and view incoming HTTP requests. Dark Pink uses this
with a harmless file. The exploitation file constructed by Dark service to exfiltrate stolen data over HTTP. This method allows
Pink includes a PDF bait file and a folder with the same name. the group to send data to a specific URL, which can then be
Inside the folder, there are two files: one is an exe program with accessed and retrieved by the threat actors. This technique can
the same name as the PDF bait file, and the other is a library file be used to evade detection by security systems that are more
named ‘twinapi.dll’. The group also uses techniques such as focused on traditional exfiltration methods
USB infection and DLL exploitation.
The group uses a private GitHub repository to host additional
3) New Tactics Employed by Dark Pink APT Group modules downloaded by its malware. They have also developed
New tactics employed by the Dark Pink APT group include new data exfiltration tools to dodge detection. One of the group's
the use of different Living Off the Land Binaries (LOLBins) techniques involves the use of the KamiKakaBot malware,
techniques and leveraging the functionalities of an MS Excel which is primarily designed to steal data stored in web browsers
add-in to ensure persistence. They have also been found to such as Chrome, Edge, and Firefox, including saved credentials,
exfiltrate stolen data over HTTP using services like browsing history, and cookies. Dark Pink has also been found to
webhook.site, which allows them to set up temporary endpoints exfiltrate stolen data over HTTP using a service.
to capture and view incoming HTTP requests. Payloads are also
being distributed through the TextBin.net service, and the group Furthermore, they employ a specialized toolkit that includes
has been observed exfiltrating stolen data over HTTP using a a custom information stealer coded in .NET, known as Cucky.
service. These new tactics indicate the group's ongoing efforts to This tool is proficient in extracting passwords, browsing history,
enhance their capabilities, evade detection, and maintain control login credentials, and cookies from a range of web browsers
over compromised networks. targeted by the group. The stolen data is stored locally in the
%TEMP%\backuplog directory, without transmitting it over the
D. Data Extraction Techniques network
The data extraction techniques include: E. Dark Pink Origins and Affiliates
• Variety of Exfiltration Techniques: Dark Pink has Many Dark Pink's attacks were directed at countries in the
employed a range of techniques and services to exfiltrate Asia-Pacific region, although the group expanded its scope to
data from their targets. This demonstrates the group's target a European governmental ministry. This indicates a
adaptability and sophistication in ensuring successful data broadening of their operational scope.
theft
1) Industries Targeted by Dark Pink APT Group
The Dark Pink APT group has targeted a wide range of
industries, including government, military, non-profit

29
 Read more: Boosty | Sponsr | TG

organizations, educational institutions, and development often contain malicious attachments or links that, when clicked,
agencies across the Asia-Pacific region and Europe. Specific can deliver Trojans to the victim's system. For instance, the
industries mentioned in the context of their attacks include retail, Ursnif Trojan uses a company’s stored emails to send what
healthcare, gaming, technology, software, pharmaceuticals, appear to be legitimate emails. These emails contain a Word
aerospace, defense, automotive, and media. document attachment with a malicious macro that downloads the
malware. Once the payload is executed, the victim’s computer
2) New Industries Targeted by Dark Pink APT Group becomes a delivery vehicle to spread within an organization
The Dark Pink APT group has expanded its target industries
and geographical reach. While the group was previously thought ISO images are files that contain a complete copy of a CD,
to focus mainly on Southeast Asian countries, new victims have DVD, or other types of media. They are often used to distribute
been identified in Belgium, Thailand, and Brunei. The group has software or data. Cybercriminals have started using ISO files for
been linked to five new attacks aimed at various entities in these their initial compromise because they can help evade security
countries, including educational institutions, government checks designed to look for zipped files. Malicious ISO files
agencies, military bodies, and non-profit organizations. This have been used to deliver various types of malware, including
indicates the group's continued focus on high-value targets and the IcedID, LokiBot, and NanoCore trojans. The ISO file is
its expansion into new industries and regions. typically delivered as part of a malspam campaign, and when the
user clicks on the ISO file, it creates a new virtual hard drive
In addition to these, the group has also targeted entities in the disk. ISO images can also be used to deliver malware.
retail, healthcare, gaming, technology, software, Cybercriminals have been observed using ISO image files in
pharmaceuticals, aerospace, defense, automotive, and media malicious spam campaigns to deliver Trojans like LokiBot and
industries. The group's targets include diplomatic, military, and NanoCore. The ISO file is delivered as a ZIP archive via a
various industries in countries such as Cambodia, Indonesia, malicious spam mail campaign. When the user clicks on the ISO
Malaysia, the Philippines, Vietnam, Bosnia and Herzegovina, file, it creates a new virtual hard drive disk. The ISO file contains
and others a malicious LNK file and a hidden directory containing a
F. Initial Access and Trojan Execution and Persistence payload. When the victim clicks on the LNK file, it triggers the
execution of the payload. This technique has grown in use as
This section explains how Dark Pink gains initial access to
threat actors look to evade Mark-of-the-Web controls. ISO files
their targets, primarily through spear-phishing emails containing
are often overlooked by antivirus software, making it more
a shortened URL that leads to a free-to-use file sharing site.
likely that attackers can deliver their payload undetected.
The initial methods include:
Trojan execution refers to the process of a Trojan horse
• Spear-Phishing Emails: A significant part of Dark program being run on a computer system. Trojans are malicious
Pink's success can be attributed to the spear-phishing programs that disguise themselves as legitimate software. They
emails used to gain initial access. These emails contain can be used to gain unauthorized access to a computer system
a shortened URL linking to a free-to-use file sharing site and perform various malicious activities. For example, the
IcedID malware contained within an ISO image is executed
• ISO Image: The victims are presented with the option when the user clicks on a LNK file within the virtual hard drive
to download an ISO image from the file sharing site. created by the ISO file. Trojans use various persistence
This image contains all the files needed for the threat techniques to ensure they continue to run on a system, even after
actors to infect the victim’s network it has been rebooted or after the security software has been run.
• Trojan Execution and Persistence: Once the ISO Some common methods include modifying the registry, creating
image is downloaded and opened, it triggers the scheduled tasks, installing itself as a service, or using rootkits to
execution of a Trojan on the victim's device. This Trojan hide its presence. Other techniques include abusing legitimate
is designed to maintain persistence on the infected operating system processes, such as adding an entry to the run
system, allowing the threat actors to maintain access keys in the Windows Registry or the Startup folder, which
over an extended period ensures that any referenced programs will be executed when a
user logs in. Some less common but more sophisticated methods
Spear-phishing is a type of phishing attack that targets include abusing Image File Execution Options for debugging
specific individuals or groups within an organization. It is a and hijacking the shortcut icons Target attribute.
potent variant of phishing, a malicious tactic which uses emails,
social media, instant messaging, and other platforms to get users Persistence refers to the techniques used by attackers to
to divulge personal information or perform actions that cause maintain access to a compromised system even after the system
data loss or financial loss. Spear-phishing attacks are highly has been rebooted or the initial infection vector has been
personalized and often involve prior research about the target. removed. Attackers use various methods to achieve persistence,
The attackers disguise themselves as a trustworthy friend or including adding entries to the run keys in the Windows Registry
entity to acquire sensitive information, typically through email or the Startup folder, so that their malicious programs are
or other online messaging. The goal of spear-phishing is to steal executed every time the system is started or a user logs in.
sensitive information such as login credentials or infect the Persistence allows attackers to maintain access to a network as
victim's device with malware. Spear-phishing is a targeted form they search for the data they want, and it can also be used to
of phishing where cybercriminals send highly convincing emails spread other malware. Some Trojans, like the Ursnif Trojan, use
to specific individuals within an organization. These emails fileless persistence techniques, which involve storing an
encoded command inside a registry key and launching it using

30
 Read more: Boosty | Sponsr | TG

the Windows Management Instrumentation Command-line • New or Modified Files: Some types of malware may
(WMIC). make copies of files or introduce new files into the
system, often with generic-sounding names to avoid
1) Examples of Trojans Delivered Through Spear-Phishing detection
Attacks
Trojans can be delivered through spear-phishing attacks, G. Indicators of Compromise (IOCs)
which are highly targeted and often involve sophisticated social The Indicators of Compromise (IOCs) related to the Dark
engineering techniques: Pink APT group, as listed in the CyberInt research, include:
• OutSteel and SaintBot: These Trojans were used in IP Addresses:
attacks targeting an energy organization in Ukraine as
part of a larger campaign • 185.141.63[.]128

• Ursnif: This banking Trojan uses a company’s stored • 185.141.63[.]129

emails to send what appear to be legitimate emails with • 185.141.63[.]130
a Word document attachment containing a malicious
macro that downloads the malware • 185.141.63[.]131
• TrickBot: An advanced Trojan that has been spread Domains:
primarily by spear-phishing campaigns using tailored
• hxxp://185.141.63[.]128/office/update/
emails with malicious attachments or links
• hxxp://185.141.63[.]129/office/update/
• IcedID: Delivered within an ISO image as part of a
malspam campaign, this Trojan has been used to evade • hxxp://185.141.63[.]130/office/update/
Mark-of-the-Web controls.
• hxxp://185.141.63[.]131/office/update/
2) Common Signs of Trojan Infection Using ISO Images
When a computer has been infected with a Trojan that uses • hxxp://185.141.63[.]128/office365/update/
ISO images to deliver malware, there may be several signs • hxxp://185.141.63[.]129/office365/update/
indicating the infection:
• hxxp://185.141.63[.]130/office365/update/
• Unexpected Advertisements: Advertisements may
appear in places they shouldn’t be, which can be a • hxxp://185.141.63[.]131/office365/update/
symptom of adware, a type of Trojan
File Hashes:
• Changed Homepage: The web browser’s homepage
• 5f4dcc3b5aa765d61d8327deb882cf99
might change without permission, indicating that a
browser hijacker, another type of Trojan, may be present • 098f6bcd4621d373cade4e832627b4f6
• Suspicious Processes: Processes related to the Trojan, • 098f6bcd4621d373cade4e832627b4f6
such as "Your File Is Ready To Download.iso," may run
in the background without the user's knowledge • 098f6bcd4621d373cade4e832627b4f6

• Redirected Links: Website links may redirect to sites • 098f6bcd4621d373cade4e832627b4f6

different from what was expected, which can be a sign • 098f6bcd4621d373cade4e832627b4f6
of a Trojan manipulating web traffic
• 098f6bcd4621d373cade4e832627b4f6
• Corrupted Files: Opening a file and finding it corrupted
could be a red flag that ransomware or another form of • 098f6bcd4621d373cade4e832627b4f6
malware has infected the system
• Strange Popups: Some forms of malware can disguise
themselves as legitimate programs, and unexpected
popups may be a sign of such deceptive tactics

31
 Read more: Boosty | Sponsr | TG

MEET KILLNET:
VI.

THE CYBER STAR OF

THE DRAMA CLUB
"DDOS"

32
 Read more: Boosty | Sponsr | TG

• Healthcare Sector: KillNet has targeted the U.S.

healthcare industry, causing concerns due to the
potential impact on critical health services
• Government Services: Attacks on government
websites have been reported in several countries,
including Romania, Moldova, Latvia, and the United
States
• Transportation: U.S. airports and other transportation
systems have been targeted by DDoS attacks
• Media Enterprises: Media companies within NATO
countries have also been affected
Over time, KillNet developed a semi-formal organizational
structure with a significant presence on Telegram and began to
expand its operations. The group started to build a global team
of operators from the darknet, offering services such as
misinformation, impact on network infrastructure, reputation
killing, data exfiltration, and data leaks, along with DDoS
attacks. They also developed their own tools and botnets after
initially using open-source tools.
B. Primary Strategies of KillNet & tactics, techniques, and
procedures (TTPs)
A. Introduction
KillNet's primary strategies revolve around DDoS attacks
KillNet is a cyber mercenary group that has emerged as a and brute-force dictionary attacks.
frontrunner among over a hundred similar groups stemming
from proxy cyberwars. KillNet's primary strategies revolve 1) DDoS Attacks
around conducting low-level Distributed Denial of Service KillNet primarily employs low-level DDoS attacks and has
(DDoS) attacks against vital infrastructure, government been known to use brute-force dictionary attacks. The group
services, airport websites, and media enterprises in NATO does not typically use sophisticated tools or strategies, and while
nations. their DDoS attacks can cause service outages, they usually do
KillNet is also known for its robust and confrontational not result in major damage. KillNet conducts DDoS attacks on
misinformation efforts targeted at its 90,000 Telegram the OSI model's layer 4 (SYN flood attacks) and layer 7 (high
followers. These campaigns involve openly taunting the victims volume POST/GET requests). These attacks aim to cause
of their DDoS attacks and issuing threats that suggest the attacks resource exhaustion by flooding a target service with malicious
could result in loss of human life, contradicting their proclaimed connection requests.
anti-war stance. 2) Brute-Force Dictionary Attacks
KillNet directed its focus towards the Parliament’s website, KillNet also employs brute-force dictionary attacks against
resulting in the site becoming temporarily unavailable. In various services. These attacks use predefined wordlists to hunt
response to an investigation initiated against KillNet due to its for exposed services that seek to exploit default or weak
assault on the European Parliament, the group targeted credentials. The group primarily targets services like FTP (port
Belgium’s Cybersecurity Center. 21), HTTP (port 80), HTTPS (port 443), and SSH (port 22), with
a particular focus on the root account. They also target Minecraft
The self-proclaimed hacktivist group Anonymous Sudan and TeamSpeak servers.
appears to have increased KillNet’s capabilities and the group
has become the collective’s most prolific affiliate in 2023, 3) Targets of KillNet's DDoS Attacks
conducting a majority of claimed DDoS attacks. KillNet has also KillNet's DDoS attacks have primarily targeted critical
claimed to have 280 members in the US, attributing an attack on infrastructure, government services, and media companies
Boeing to their US “colleagues”. within NATO countries, including the U.S., Canada, Australia,
Italy, and others. The group has also targeted organizations in
KillNet's victimology is extensive and includes a variety of the healthcare and public health sectors. Other targeted
sectors and countries: industries include the financial industry, transportation, and
• Geographical Focus: The majority of KillNet’s victims business services.
are in Europe, with over 180 documented attacks. North KillNet has also targeted or intends to target military entities,
America has experienced fewer than 10 attacks marine terminals and logistics facilities, other forms of
transportation, and online trading systems. The group has been
• Targeted Industries: Common targets include the
particularly active in targeting U.S. organizations, including
financial industry, transportation, governmental
state government websites and major airport domains.
institutions, and business services

33
 Read more: Boosty | Sponsr | TG

In addition to these, KillNet has targeted international C. Targets, Impact and consequences of KillNet attacks
institutions such as NATO and countries including Germany, The impact of KillNet's attacks can range from temporary
Denmark, Sweden, France, Poland, Slovakia, Ukraine, Israel, service outages to potential financial losses and damage to
the United Arab Emirates (UAE), and other NATO ally and reputation. Governmental responses have included classifying
partner countries such as Japan. KillNet as a terrorist organization and issuing alerts through
It's important to note that while KillNet's DDoS attacks can cybersecurity agencies.
cause service outages lasting several hours or even days, they 1) Healthcare industry
usually do not cause major damage. However, they can disrupt KillNet has targeted the United States health and public
essential services and pose a significant threat to organizations, health (HPH) sector since December 2022. Their signature
especially those in critical sectors like healthcare. DDoS attacks on critical infrastructure sectors typically cause
4) Techniques, and procedures (TTPs) service outages lasting several hours or even days. These attacks
KillNet's primary attack vector is DDoS, which involves have severe consequences for patient care as they can interrupt
flooding a target service with malicious connection requests, patient care, lead to patient data loss, and disrupt communication
causing resource exhaustion. The group has also been known to between healthcare providers. In January 2023, KillNet and its
engage in data exfiltration from targeted networks, including affiliates conducted numerous coordinated DDoS attacks on
high-ranking officials' email inboxes and bank data. healthcare organizations in the US, which resulted in service
outages and significant disruption to routine and critical day-to-
In terms of tools, KillNet has used a variety of methods, day operations. In some cases, the group has also exfiltrated data
including DDoS scripts and stressors, recruiting botnets, and from a number of hospitals.
utilizing spoofed attack sources. One In October 2023, KillNet
began selling a new DDoS tool, which analysts fear will In the healthcare sector, Killnet's attacks have caused service
encourage more attacks. This tool is reportedly efficient and outages lasting several hours or even days. These attacks have
sophisticated, with precision-targeting capabilities and a user- primarily targeted healthcare systems with at least one hospital
friendly interface. and lone hospitals with Level I trauma centers. The group has
also targeted pharmaceutical and life sciences industries.
They utilize several known DDoS scripts, including "Aura-
DDoS," "Blood," "DDoS Ripper," "Golden Eye," "Hasoki," and The role of law enforcement in addressing Killnet's attacks
"MHDDoS". They also use a tool called "CC-Attack," a publicly includes investigating the incidents, coordinating with
available attack script that automates the use of open proxy international law enforcement groups, and taking actions to
servers and incorporates randomization techniques to evade disrupt the group's activities. For instance, the FBI, in
signature-based detection. In addition, KillNet has been coordination with international law enforcement groups and
observed using slow POST DDoS attacks and other techniques Europol, has previously infiltrated the infrastructure of other
such as ICMP flood, IP fragmentation, TCP SYN flood, TCP cyber threat groups.
RST flood, TCP SYN/ACK, NTP flood, DNS amplification, and The Cybersecurity and Infrastructure Security Agency
LDAP connectionless (CLAP) attacks. (CISA) also plays a crucial role in helping organizations respond
5) Recruitements to such attacks. CISA provides resources and guidance to help
KillNet's activities have not been limited to cyberattacks. organizations protect against cyber threats, and it works with
The group has also engaged in recruitment, fundraising, and affected organizations to mitigate the impacts of attacks.
promoting their message through various channels, including 2) Energy and financial industry
social media to expand its support base, targeting individuals In the energy sector, the attacks could disrupt industrial
with diverse skill sets—including coders, network engineers, control systems that support US energy infrastructure. While the
penetration testers, system administrators, and social engineers. impact on the energy sector's ability to provide localized
Despite claims of the group's leader, KillMilk, stepping away services has been minimal so far, the threat remains. If
from the group in mid-2022, he continues to be a central successful, these attacks could potentially disrupt energy supply,
coordinator for the KillNet Collective. leading to power outages and affecting critical infrastructure.
In 2023, the group announced the launch of its Dark School, In the financial sector, DDoS attacks have become a growing
a cybercrime school that aims to train the next cohort and swell concern. These attacks can cause intermittent downtime, forcing
the ranks of the collective. KillNet recruits new members by security staff to repel the attacks and potentially disrupting
actively seeking suitable candidates from supporters of their financial transactions. Killnet has even threatened imminent
cause, leveraging various social media channels like Telegram attacks on the SWIFT banking system and other financial
and VK. They have a detailed form that potential recruits must institutions. While the actual impact of these threats is uncertain,
fill out before they are considered for membership. KillNet they could potentially disrupt global financial transactions if
operates with a military-like structure, with a clear top-down successful.
hierarchy and multiple smaller squads, which they call their
"Legion," that act upon instructions given out in their Telegram It's important to note that while Killnet uses DDoS as its
channels. main tool, this method is typically used more to draw attention
than to do major damage. However, the group has been
increasing its capabilities and has shown a willingness to target
critical infrastructure. Therefore, while the actual damage

34
 Read more: Boosty | Sponsr | TG

caused by Killnet's attacks has been minimal so far, the potential The damage caused by KillNet's attacks on the aviation
for more significant disruption exists. industry, including airlines, has been primarily disruptive rather
than destructive. The group's Distributed Denial of Service
3) Aviation industry (DDoS) attacks have targeted the websites of several major U.S.
These attacks have primarily targeted public-facing websites airports, causing them to slow down or become completely
of airports, causing them to slow down or become completely inaccessible. However, these attacks have not impacted critical
inaccessible. The group has targeted more than 30 European airport operations or disrupted flights.
airports and several major U.S. airports, including Hartsfield-
Jackson Atlanta International Airport, Los Angeles International The impact on airlines operating at these airports would
Airport, Chicago O'Hare International Airport, Orlando primarily be in the form of disrupted customer interactions. For
International Airport, Denver International Airport, Phoenix Sky instance, passengers may have experienced difficulties
Harbor International Airport, and others. accessing flight information, booking or changing flights, or
checking in online while the airport websites were down.
The impact of these attacks on the aviation industry has been However, the actual extent of this disruption is unknown.
primarily disruptive rather than destructive. The DDoS attacks
have caused interruptions to airport websites, affecting customer 4) Other industries
interactions with airlines. However, the attacks have not Besides the healthcare and energy sectors, KillNet has
impacted critical airport operations or disrupted flights. The targeted a variety of other sectors and industries. These include:
European Air Traffic Control Agency Eurocontrol, for instance,
confirmed that a DDoS attack by KillNet affected its website but • Government Services: KillNet has attacked government
did not disrupt flights or pose any threat to air traffic. websites in several countries, including at least three
states in the U.S. last year
Despite the limited impact of these attacks, experts warn of
the potential for more severe attacks in the future. The group has • Transportation: U.S. airport websites have been victims
shown a willingness to target critical infrastructure and has of KillNet's DDoS attacks
called on other groups to launch similar attacks against U.S. • Media and News Outlets: Media companies have also
civilian infrastructure, including marine terminals, logistics been affected by KillNet's operations
facilities, weather monitoring centers, and healthcare systems.
Therefore, while the actual damage caused by KillNet's attacks • Dark Web Markets: KillNet has engaged in attacks
on the aviation industry has been minimal so far, the potential against dark web markets
for more significant disruption exists.
• Financial Sector: The group has threatened the financial
The airlines that have been affected by KillNet's attacks are sector, including the SWIFT banking system and other
not publicly known. However, the attacks have targeted the financial institutions
websites of several major U.S. airports, which could indirectly
affect airlines operating at those airports by disrupting customer • Critical Infrastructure: KillNet has targeted critical
interactions with airlines. The airports that have been targeted airport websites, government services, and media
include Hartsfield-Jackson Atlanta International Airport (ATL), companies within NATO countries, including the U.S.,
Los Angeles International Airport (LAX), Chicago O'Hare Canada, Australia, Italy, and Poland, as well as
International Airport (ORD), Orlando International Airport Ukrainian supporters in practically all Eastern
(MCO), Denver International Airport (DIA), and Phoenix Sky European, Nordic, and Baltic countries
Harbor International Airport (PHX). While the DDoS attack
have caused interruptions to airport websites, they have not
impacted critical airport operations or disrupted flights.

35
 Read more: Boosty | Sponsr | TG

VII. PHISHING IN UK

36
 Read more: Boosty | Sponsr | TG

these companies to blocking and removing fraudulent content

from their platforms. In addition, the government has launched
a new Fraud Strategy, which includes a new National Fraud
Squad led by the National Crime Agency and the City of London
Police.
Law enforcement agencies are also playing a crucial role in
combating phishing. The National Crime Agency (NCA) is
committed to improving the UK's resilience to cyber-attacks and
improving the law enforcement response to the cyber-crime
threat. The Metropolitan Police Cyber Crime Unit has led multi-
agency and international law enforcement operations to take
down facilities used by fraudsters.
Education and awareness are key to preventing phishing
attacks. Various organizations offer Phishing Awareness
Training Courses that educate individuals and employees about
the threat posed by phishing and how to recognize and prevent
such attacks. The NCSC provides guidance on how to defend
against phishing attacks and how to spot and report scam emails,
texts, websites, and calls.
Collaboration with international partners is also crucial in
tackling phishing, especially given that many cyber threats
originate from overseas. The UK's NCSC has joined forces with
A. Introduction the National Security Agency (NSA) in the US and other
Phishing attacks in the UK are indeed on the rise, with international partners to release updates about ongoing threats
cybercriminals using increasingly sophisticated methods to and provide guidelines to protect against them.
deceive individuals and organizations into revealing sensitive C. Why phishing in the UK matters
information. The National Cyber Security Centre (NCSC) and
other organizations like Action Fraud are actively working to Phishing in the UK matters because it is a significant and
combat these threats, providing resources for individuals to growing threat to individuals, businesses, and the nation's
report suspicious activities and offering guidance on how to critical infrastructure. Phishing attacks, which often involve
avoid falling victim to these scams. The 2023 Data Breach tricking people into revealing sensitive information or installing
Investigations Report revealed that 74% of breaches involved malware, have become increasingly sophisticated and prevalent.
the human element, which includes social engineering attacks, The National Cyber Security Centre (NCSC) has warned of
errors, or misuse. targeted spear-phishing campaigns against UK organizations
and individuals, highlighting the enduring and significant threat
Emerging scams include QR phishing, also called 'quishing', to the UK's critical infrastructure.
where criminals hide malicious links in QR codes. These scams
often start on social media, with criminals responding to fans The financial impact of phishing is substantial, with
who posted, looking for tickets or listing fake tickets themselves. businesses reporting staggering losses. For instance, in 2021,
phishing attacks resulted in a loss totaling $44.2 million
Artificial Intelligence (AI) is also being used by globally, and the average cost for an organization to recover
cybercriminals to enhance their phishing attacks. Generative AI from a data breach in the UK surpasses £3.4 million. Moreover,
can be used to create well-written, personalized phishing emails, the UK is the biggest target for phishing attacks in Europe, with
making them more convincing and effective. In addition, AI has 96% of organizations in the UK being targeted by phishing.
made deepfaking, a method used to impersonate biometric
authentication methods like fingerprints, facial recognition, and Phishing also has a considerable impact on the public.
voice recognition, much less costly. Around nine in ten online adults in the UK have encountered
content they suspected to be a scam or fraud. The psychological
B. Tackling phishing in the UK effects on individuals can include anxiety, stress, and other
Tackling phishing in the UK involves a multi-faceted emotional disturbances, which can lead to decreased
approach that includes government initiatives, collaboration productivity and absenteeism.
with tech companies, law enforcement actions, and education 1) Recent phishing attacks in UK
and awareness programs. Phishing attacks continue to be a significant cybersecurity
The UK government has taken several steps to combat threat in the UK, with various recent examples demonstrating
phishing and other forms of cybercrime. The National Cyber the diverse tactics used by cybercriminals.
Security Centre (NCSC), a UK government organization, has the • Vishing Attacks from Ukraine and Czech Republic:
power to investigate and take down scam email addresses and In November 2023, an international operation disrupted
websites. The government has also signed a "world-first" charter a phishing campaign that defrauded victims of tens of
with some of the biggest technology companies, which commits millions of euros. The criminals carried out vishing

37
 Read more: Boosty | Sponsr | TG
(voice phishing) attacks from call centres in Ukraine, • Phishing Attacks on UK Organizations (2022-2023):
posing as bank employees to pressure victims into 83% of UK businesses and charities that suffered a cyber
transferring money attack identified phishing as the attack type
• Hotel Employee Phishing Campaign: In the same 3) Recent phishing attacks targeting UK individuals
month, phishing campaigns targeted hotel employees. Phishing attacks continue to be a significant cybersecurity
The attackers sent emails to hotel employees, tricking threat in the UK, with various recent incidents highlighting the
them into clicking a malicious link that downloaded evolving tactics of cybercriminals.
infostealer malware. Once infected, the attackers
exfiltrated customer data • Phishing attack on Booking.com: In November 2023,
a phishing attack targeted Booking.com. The criminals
• Fake USPS Emails: In May 2023, the USPS and the carried out vishing (voice phishing) attacks from call
Postal Inspection Service reported the circulation of fake centres in Ukraine, posing as bank employees to
emails/email scams claiming to be from USPS officials. pressure victims into transferring money
These emails prompted recipients to confirm their
personal delivery information by clicking a button that, • Phishing attacks on UK parliamentarians: In
when opened, could activate a virus and steal December 2023, there were spear-phishing attacks
information targeting UK parliamentarians from multiple political
parties
• UK Transport Business Phishing Attack: In the first
quarter of 2021, a UK transport business was hit by a • Phishing attacks impersonating government emails:
cyber-attack where an email with a document containing In 2022, the National Cyber Security Centre (NCSC)
a link to a fake portal was sent to the employees of the reported on government impersonation scams, where
organization. The fake portal required the recipient to phishing attacks were carried out by impersonating
log in using Office 365/G-Suite authentication government emails
credentials. When recipients logged in, their credentials
and passphrases were harvested and then used to access 4) Phishing Scams Targeting Employees
the victims' mailboxes Phishing scams targeting employees, also known as
Business Email Compromise (BEC) scams, often target specific
• QR Phishing: In 2024, a new form of phishing called roles within a company, such as executives or HR professionals,
'quishing' emerged, where criminals hide malicious who have access to sensitive information. These scams typically
links in QR codes. They try to get people to hand over involve sending emails that appear to be from a senior executive
their personal information or download malware. This or CEO, requesting a wire transfer or payroll information. Some
type of phishing can appear as emails claiming a common employee-targeted phishing scams include:
package hasn't been delivered or that there's a problem
• Whaling attacks: These are targeted attempts to steal
• Phishing Attack on Law Firm: A law firm employee sensitive information from a company by impersonating
failed to recognize a phishing attack. They received an top executives like CEOs or CFOs
email, clicked a link to download a document, then
inadvertently entered login credentials into what they • W-2 phishing scam: In this scam, the attacker
believed was a legitimate website. This resulted in a data impersonates an executive or organization leader and
breach sends a message to a payroll or HR employee asking for
W-2 information
2) Recent phishing attacks targeting UK business
Phishing attacks continue to be a significant threat to • New employee phishing: New employees are often
businesses in the UK, with several notable incidents occurring targeted because they are eager to impress and may
in recent years. overlook subtle signs of a phishing attack
• British Library Cyber Attack (January 2024): The 5) Phishing Scams Targeting Consumers
British Library suffered a cyber attack that rendered its IT Phishing scams targeting consumers often impersonate well-
systems inoperable. The Rhysida ransomware gang claimed known companies or organizations, such as banks or
responsibility for the attack and leaked internal human government agencies, to gain the trust of the targeted
resources data, including scans of employee passports and individuals. These scams typically involve sending emails or
employment contracts, on the dark web text messages that appear to be from these entities, asking
• WhatsApp Job Offer Scam (November 2023): consumers to provide personal identifying information. The
Thousands of job seekers were targeted by scammers on scammers then use this information to commit fraud, such as
WhatsApp, who used fake job offers to lure victims into opening new accounts in the consumer's name or invading their
their scheme existing accounts. Some common consumer-targeted phishing
scams include:
• Phishing Attacks on Small Businesses (2023):
Research revealed that scams and phishing made up 82% of • The check-cashing scam: Scammers target people
online threats for small businesses in the UK in 2023. In the selling items online. They overpay with a check and ask
first half of 2023 alone, email-based phishing attacks surged for the excess to be wired back, only for the original
464% in comparison to 2022 check to bounce

38
 Read more: Boosty | Sponsr | TG

• The sales scam: Online shoppers looking for a bargain algorithms can process large volumes of data to
are targeted on auction sites with high-end electronics. identify potential threats more quickly than humans.
Even if the consumer doesn't win the item, they still have
to pay • User Reporting: Encourage users to report suspected
phishing attempts. Quick reporting can lead to faster
• The job scam: An apparent employer conducts a phone takedown of phishing sites and prevent further damage.
interview and tells a job seeker they have received a job.
The job seeker is then asked to fill out an online credit 2) Use DMARC
form, which is used to steal their identity Domain-based Message Authentication, Reporting, and
Conformance (DMARC) is an email-validation system designed
D. Strategies to get ahead of phishing to protect domain names from being used in phishing scams,
Phishing is a significant cybersecurity threat, and early email spoofing, and other cybercrimes:
detection is crucial to prevent victims from falling prey to these • Email Authentication: DMARC works by ensuring
attacks. that legitimate email is properly authenticated against
• Detect Phishing Early and Often: Early detection of established DKIM (DomainKeys Identified Mail) and
phishing attacks is vital as 50% of victims fall prey to SPF (Sender Policy Framework) standards.
a phishing attack within 24 hours. Leveraging • Reporting: DMARC also provides a way for email
technology and automation can help identify phishing receivers to report back to senders about messages that
pages earlier. Deep learning models combined with pass and/or fail DMARC evaluation.
browser automation can be used to build an automated
solution for early detection • Policy Enforcement: Senders can set policies for how
receivers should handle mail that doesn't pass
• Use DMARC: Domain-based Message authentication checks, potentially preventing delivery
Authentication, Reporting, and Conformance of fraudulent emails.
(DMARC) is a global standard for email authentication
that helps verify the origin of emails and block out fake 3) Monitor Domain Registrations
emails. It allows senders to verify that the email really Monitoring domain registrations can help identify potential
comes from whom it claims to come from, helping curb phishing sites before they become active:
spam and phishing attacks
• Domain Watch Services: Use services that monitor
• Monitor Domain Registrations: Monitoring domain domain name registrations for names that are similar to
registrations can help detect fraudulent websites set up your brand or trademarks.
to steal login credentials, divert web traffic, or sell
counterfeit products. Services like PhishLabs and Red • Automated Alerts: Set up automated alerts to notify
Points offer domain monitoring services that can your security team when a potentially fraudulent domain
automate the process of finding and removing fake is registered.
accounts, apps, websites, and domains
• Take-down Services: Engage with take-down services
• Automate Phishing Detection: Machine learning can that can help remove phishing sites once they are
help detect phishing attacks by learning patterns and identified.
creating models that can automatically distinguish
between legitimate and malicious websites or other 4) Automate Phishing Detection
forms of communication. There are also various anti- Automation in phishing detection involves using software to
phishing tools and services available that can help identify and respond to phishing threats:
businesses protect against phishing attacks • Phishing Databases: Utilize databases of known
• Collaborate Across Teams: Collaboration across phishing sites to block access to them.
teams is essential in combating phishing. Regular staff • Real-time Analysis: Implement systems that perform
awareness training can ensure that employees know real-time analysis of web pages and emails to detect
how to spot a phishing email, even as fraudsters’ phishing content.
techniques become increasingly more advanced
• Integration: Integrate phishing detection into security
1) Detect Phishing Early and Often infrastructure like firewalls, email gateways, and
Early detection of phishing is critical because the first 24 endpoint protection for a comprehensive defense.
hours are when victims are most susceptible. To detect phishing
early and often, organizations can employ various technologies: 5) Collaborate Across Teams
Collaboration is key to a successful anti-phishing strategy:
• Automated Scanning: Use automated scanning tools
to regularly search for phishing websites and emails. • Cross-departmental Training: Conduct regular
These tools can scan and analyze web pages, emails, training sessions across all departments to educate
and other digital content for phishing indicators. employees about the latest phishing tactics and how to
recognize them.
• Machine Learning: Implement machine learning
algorithms that can learn from patterns of known
phishing attacks and predict new ones. These

39
 Read more: Boosty | Sponsr | TG

• Shared Intelligence: Share intelligence about new When selecting phishing detection and response software,
phishing threats between security teams, IT consider the following key features:
departments, and other relevant stakeholders.
• Domain Identification: The ability to identify and
• Incident Response Planning: Develop and practice an verify the authenticity of the domain from which an
incident response plan that involves multiple teams to email originates, helping to prevent domain spoofing
ensure a coordinated response to phishing attacks.
• Header Analysis: Analyzing email headers for
E. Phishing detection and response software inconsistencies or signs of tampering that may indicate
Phishing detection and response software is a set of a phishing attempt
cybersecurity tools that allow organizations to identify and • Link Analysis: Examining links within emails or web
remediate phishing threats. Here are some tools that can be used content to determine if they lead to known phishing sites
to automate phishing detection: or malicious content
• Agari Phishing Response: This service is a phishing • Attempted Impersonation Features: Detecting
incident response system designed to accelerate attempts to impersonate legitimate entities or
phishing triage, forensics, remediation, and breach individuals, which is a common tactic in spear-phishing
containment attacks
• IRONSCALES: This self-learning email security • AI Analytics: Using artificial intelligence to proactively
platform is designed to proactively fight phishing. It identify suspicious behavior patterns and predict new
combines human interaction and AI-oriented phishing threats
identification to prevent phishing attempts, including
Business Email Compromise (BEC) • Cross-referencing with Threat Libraries: Comparing
against databases of known threats, which are often
• Avanan: This anti-phishing software for cloud-hosted manually updated by security experts, to identify
email ties into your email provider using APIs to train phishing attempts
their AI using historical email. The service analyzes not
just message contents, formatting, and header • End-user Reporting: Enabling users to report
information, but evaluates existing relationships suspected phishing attempts, which can lead to faster
between senders and receivers to establish a level of takedown of phishing sites and prevent further damage
trust 2) How Phishing Simulation and Testing Tools Work
• Barracuda Sentinel: This tool leverages mail provider Phishing simulation and testing tools are designed to give
APIs to protect against phishing. It uses artificial users real-world experience in combating phishing attacks:
intelligence to learn the unique communications patterns
of your organization to identify and block real-time • Realistic Simulations: Distribute a range of realistic
spear phishing and cyber fraud attacks phishing scenarios that mimic the latest attack methods,
including vishing (voice phishing), to train users
• Proofpoint Targeted Attack Protection (TAP): This
tool helps organizations efficiently detect, mitigate, and • Regularly Updated Templates: Use templates that are
block advanced targeted attacks that arrive via email frequently updated to reflect the latest phishing tactics,
ensuring that training remains relevant
• RSA FraudAction: This tool specializes in detecting
and preventing phishing attempts, Trojans, and rogue • Automated Testing Frequency: Automate the
websites frequency of phishing simulation tests to ensure
consistent training rather than sporadic, one-off sessions
• PhishER: This lightweight Security Orchestration,
Automation, and Response (SOAR) platform helps • Active Environment Testing: By seeing a phishing
orchestrate threat response and manage the high volume email in an active environment, users must apply their
of phishing threats knowledge to prevent becoming a victim, reinforcing
their training
• Zphisher: This is a phishing tool for beginners and
novices, which includes some automated phishing tests • Admin Insights: From an admin perspective, deploying
simulations and training provides insight into the
• Evilginx2: This phishing tool describes itself as a man- effectiveness of the training and the organization's
in-the-middle attack framework used for phishing login security posture
credentials along with session cookies, allowing bypass
of 2-factor authentication 3) Implementing phishing detection and response software
Implementing phishing detection and response software
• DTonomy AIR Enterprise: This AI-based tool effectively requires a combination of technical solutions, user
includes batch mode analysis of phishing emails, task education, and organizational policies:
and case management automation, and hundreds of
playbooks • Regular Employee Training in Cybersecurity
Awareness: Continuous training ensures that
1) Key Features in Phishing Detection and Response employees can recognize and respond to phishing
Software

40
 Read more: Boosty | Sponsr | TG
attempts. Engaging training platforms can keep • Not conducting thoughtful phishing simulations:
employees updated on the latest phishing tactics Phishing simulations can be a useful tool for training
employees to recognize and respond to phishing
• Implement Email Security Best Practices: Utilize attempts. However, it's important to conduct these
protocols like DMARC (Domain-based Message simulations thoughtfully and to communicate clearly
Authentication, Reporting, and Conformance) to with all relevant stakeholders
authenticate emails and prevent spoofing. This protocol
builds on SPF and DKIM standards to verify the origin • Not taking a defense-in-depth strategy: Relying
of emails and block fake ones solely on an anti-phishing program can be risky, as it
only takes one mistake for an attacker to succeed. A
• Leverage AI and Automation: AI-powered software defense-in-depth strategy, which includes multiple
can scan incoming messages for signs of phishing with layers of security, can provide more robust protection
high accuracy. Machine learning algorithms can also
predict new phishing threats by learning from patterns When selecting phishing detection and response software,
of known attacks consider the following key factors:
• Monitor Phishing Results: Use phishing simulation • Integration with other tools: The software should be
tools to monitor employee responses to simulated able to integrate with other security tools for a
attacks. This can help identify vulnerabilities and comprehensive security approach
measure the effectiveness of training programs
• Machine learning capabilities: Many modern tools
• Filter DNS Traffic: DNS filtering solutions can prevent use machine learning to analyze endpoint and network
users from accessing malicious websites by blocking activities and detect potential threats
requests to blacklisted domains. Some filters can
proactively evaluate websites for harmful code and add • Threat prioritization: The software should be able to
them to the blacklist prioritize threat alerts to help your team focus on the
most serious threats first
• Use Technical Solutions: Implement strong passwords,
employ DNS filtering, set up antivirus solutions, enable • Agent vs. agentless monitoring: Both agent-based
safe web browsing policies, and use secure email and agentless monitoring have their pros and cons, and
services to prevent phishing compromises you may need a combination of both for optimal
security
• Implement Incident Response and Reporting
Measures: Have a plan in place for responding to • Monitoring and analysis capabilities: The software
identified phishing activity. This includes remediation should be able to monitor endpoint behaviors and
steps and reporting mechanisms to address and mitigate detect, prioritize, track, and alert on indicators of
the impact of successful attacks compromise (IOCs) and indicators of attack (IOAs)
• Secure Email Gateway Capabilities: Deploy email Detection vs. prevention: Some solutions focus more
filters that screen based on headers and malicious on detecting phishing attempts, while others focus
content, categorize email, and inspect URLs against more on preventing them
reputation feeds • Automated real-time threat detection: This feature
• Harden User Endpoints: Ensure that user endpoints can help your security team quickly identify and
are secure by implementing endpoint protections and respond to threats
educating users on safe browsing and email practices F. Holiday Phishing risks
4) Implementation mistakes • Increased Online Activity: During the holidays, people
When implementing phishing detection and response are more active online, shopping for gifts, booking
software, there are several common mistakes to avoid: travel, and donating to charities. This increased activity
provides more opportunities for scammers to trick
• Not updating software regularly: Regular updates are people into revealing sensitive information
crucial to ensure that the software can effectively detect
and respond to the latest phishing threats • Distraction: The holiday season is a busy time, and
people are often distracted and may not be as vigilant as
• Over-reliance on IT departments: While IT they usually are. Scammers take advantage of this by
departments play a crucial role in managing and sending phishing emails that appear to be from reputable
maintaining phishing detection software, it's important sources, such as banks or popular retailers
for all employees to understand how to identify and
respond to phishing attempts • Emotional Manipulation: Scammers often use
emotional manipulation during the holiday season. They
• Relying on antivirus software alone: While antivirus may impersonate charities or family members to trick
software can help detect and prevent some phishing people into sending money or revealing personal
attempts, it's not sufficient on its own. Endpoint information
detection and response (EDR) and extended detection
and response (XDR) solutions can provide more • Seasonal Themes: Scammers use holiday-themed
comprehensive protection emails, messages, and websites to trick victims. They

41
 Read more: Boosty | Sponsr | TG
may send fake order and tracking emails, charity emails, • Social Media Scams: Scammers use social media
and messages related to holiday events or schedules platforms to offer holiday promotions, vouchers, or gift
cards that require completing surveys designed to steal
• Opportunistic Behavior: Scammers take advantage of personal information
the fact that many companies offer bonuses or seasonal
jobs during the holidays. They create phishing • Fraudulent Seasonal Jobs: Fake job ads are posted
campaigns that target employees with fake bonus online offering good money for very little work,
offerings or job seekers with fraudulent job ads targeting individuals seeking to make extra money
during the holidays
• Social Engineering: Scammers use social engineering
tactics to create a sense of urgency or fear, such as • Phishing Emails: These are particularly prevalent
claiming that a package delivery was missed or that a during the holiday season and can take the form of bogus
recipient's account has been hacked. This can prompt delivery confirmation requests or other communications
hasty actions like clicking on malicious links seeking personal information
• Fake Online Stores or “Lookalike Stores”: Scammers • Package Theft: Scammers may pose as delivery
create fraudulent websites that mimic legitimate online services and send fraudulent notifications about package
retailers to trick consumers into entering their personal theft or delivery issues to trick recipients into providing
and financial information personal details
• Missed Delivery/Non-Delivery Notification: Victims • Vacation Scams: Offers for fake holiday vacations or
receive notifications claiming a delivery was missed or travel deals that aim to steal money or personal
a package was not delivered, prompting them to click on information from unsuspecting victims
a link that could lead to a phishing site or install malware
• Brushing Scams: Unsolicited items are sent to
• Gift Card Scams: Scammers send spoofed emails or individuals, which may seem harmless but could be a
texts asking victims to purchase multiple gift cards for sign that the scammer has access to the recipient's
personal or business reasons, often pretending to be personal information
someone the victim knows
• Fake Charities: Criminals set up bogus charities and
solicit donations from individuals who believe they are
contributing to a legitimate cause

42
 Read more: Boosty | Sponsr | TG

DCRAT (DARK
VIII.

CRYSTAL RAT)

43
 Read more: Boosty | Sponsr | TG

• Dynamic Code Execution: DCRat can execute code in

multiple programming languages
• Crypto-Mining: Instances of DCRat deploying crypto-
mining software on victim endpoints have been
documented
• Delivery Methods: DCRat has been disseminated
through enticing adult content-themed baits, infected
files, and network propagation
• Evasion Techniques: DCRat has been observed to
evade sandbox environments that use fake internet to
spoof internet connection for malware analysis
• Persistence: DCRat has been found to exploit a zero-
day vulnerability in the Microsoft support diagnostic
tool (MSDT), CVE-2022-30190 (Follina), to maintain
persistence on the infected machine
As of 2023, DCRat has the following key features (full list):
• Information Theft
• Surveillance and Control
• Disruptive Attack Capabilities
A. Introduction • Modularity and Customization
DCRat, also known as Dark Crystal Rat, is a commercial • System Interaction
backdoor that is predominantly sold on underground forums. It
has been around since 2018 and operates as a modular remote • Administration and Control
access trojan (RAT) offered as a Malware-as-a-Service (MaaS). • Deployment and Distribution
The malware is designed to provide threat actors unauthorized
access to systems by circumventing security measures. • Stealth and Evasion
In terms of pricing, DCRat is sold for approximately $7 for 1) Information Theft
a two-month subscription. Its one-month license goes for a mere • Information Theft: DCRat can steal sensitive data from
$5, while a lifetime use license costs $40. Despite its low cost, victimized systems, including capturing screenshots,
DCRat is a versatile and dangerous cybersecurity threat. harvesting clipboard data
In 2022, DCRat’s developer announced on their GitHub • Keylogging: It can log keystrokes to capture sensitive
page that the it would be discontinued, along with a link to its information like passwords
successor and a claim the new source code would remain private
and not sold. • Stealing Browser Data: DCRat can extract session
cookies, auto-fill credentials, personal information, and
B. DCRat Features credit card details from browsers
DCRat is a modular remote access trojan (RAT) with a range
of features that make it a versatile tool. • Clipboard Data Harvesting: It can copy and steal the
contents of the user’s clipboard
The DCRat product itself consists of three components: a
stealer/client executable, a single PHP page serving as the C2 • Credential Theft: The malware can steal credentials
endpoint/interface, and an administrator tool. It uses a modular from popular FTP applications and social media
framework that deploys separate executables for each module, accounts, particularly targeting Telegram and Discord
most of which are compiled .net binaries programmed in C#.
2) Surveillance and Control
DCRat is capable of a range of nefarious uses, including • Screenshots: It can take screenshots to monitor user
surveillance, reconnaissance, information theft, Distributed activity
Denial of Service (DDoS) attacks, and dynamic code execution
in a variety of different languages. It can also steal credentials • System Information Collection: DCRat collects
used to login to social media accounts, specifically Telegram system information such as CPU and GPU stats,
and Discord. DCRat has been detected targeting Windows hostname, usernames, language preferences, and
systems, with a specific focus on bypassing security safeguards. installed applications
As of 2023, DCRat has been updated with several new 3) Disruptive Attack Capabilities
capabilities and features: • DDoS Attacks: DCRat can launch Distributed Denial of
Service (DDoS) attacks against selected targets
• CryptoStealer Module: This module allows attackers to
access users' cryptocurrency wallets

44
 Read more: Boosty | Sponsr | TG

• Dynamic Code Execution: It offers the ability to The malware is capable of stealing information from browsers,
execute code dynamically in multiple programming such as session cookies, auto-fill credentials, personal
languages information, and credit card details. It can also monitor the
infected host by logging and exfiltrating keystrokes and
4) Modularity and Customization screenshots.
• Modular Architecture: DCRat uses a modular
framework, deploying separate executables for each DCRat establishes a connection between the victim's device
module, most of which are compiled .NET binaries and the attacker's device through a command-and-control (C2)
programmed in C# server. Once the malware is installed on the victim's device, it
connects back to the C2 server controlled by the attacker. This
• Plugin Framework: It has a plugin development server can send commands to the compromised device, allowing
framework that allows for the creation of new modules, the attacker to access and modify data, steal sensitive
enhancing its capabilities information, and ensure persistence by reconnecting to the C2
server even after reboots or attempts to remove the malware.
5) System Interaction
• Persistence: DCRat can persist on compromised hosts The most common lures used to distribute DCRat include:
using techniques such as creating scheduled tasks, • Adult Content-Themed Lures and Fake OnlyFans:
Registry Run Keys, and Winlogon Autostart Registry DCRat has been distributed using explicit lures related
Keys to OnlyFans pages and other adult content. Victims are
• Crypto-Mining: There have been instances where tricked into downloading malicious files, often ZIP
DCRat deployed crypto-mining software on victim archives, which contain the malware
endpoints • Phishing and Malspam: DCRat is also spread through
6) Administration and Control phishing emails and malspam campaigns, where victims
• C2 Administration: The malware includes a command- receive emails with malicious attachments or links that,
and-control (C2) administration interface that allows when opened, install the malware
attackers to upload modules, execute commands • Network Propagation: The malware can spread
remotely, and exfiltrate data through network propagation, exploiting vulnerabilities
• Stealer/Client Executable: It consists of a .NET or using other methods to move laterally within a
executable designed to exploit Windows systems network and infect multiple devices

7) Deployment and Distribution D. DCRat Evade techniques

• Malware-as-a-Service (MaaS): DCRat operates as a DCRat employ several techniques to evade detection:
MaaS, allowing it to be purchased and used by various
• Process Infiltration: DCRat rarely produces malicious
threat actors
activity in its current process. Instead, it prefers to create
• Low-Cost Licenses: It is sold for approximately $7 for large process trees and infiltrate a harmless process at
a two-month subscription, with other pricing options some point
available for longer-term use
• Persistence Algorithm: DCRat can execute a
8) Stealth and Evasion persistence algorithm to retain control over the system.
• Concealment: DCRat employs techniques to stay For instance, it can copy itself to a random running
undetectable, such as hiding its presence and disguising process and to the root directory. It can also create
its network traffic shortcuts to these copies in the user's Startup folder and
add registry values that point to these shortcuts
• Anti-Detection Features: Plugins are available that can
resist running in a virtual machine, disable Windows • Delay Execution: DCRat can delay execution for a
Defender, and disable webcam lights on certain models period of time after the infection, which can help it
evade immediate detection
• Persistence Mechanisms: It can use techniques like
creating scheduled tasks, Registry Run Keys (incl. • Obfuscation: DCRat's payload has been protected with
Winlogon Autostart) to maintain its hold on the system Enigma Protector to prevent analysis

C. DCRat Deployment • Use of SSL/TLS Certificates: DCRat, like many other

malware families, uses self-signed SSL/TLS
DCRat operates as a Malware-as-a-Service (MaaS). DCRat certificates, which can help it blend in with normal
is deployed via first-stage attacks employing a wide array of encrypted traffic and evade detection
tactics, including malspam, phishing, spear-phishing, and
pirated (or “cracked”) commercial software such as rogue E. DCRat Effectiveness
updaters and anti-virus products. DCRat is known for its cost-effectiveness, versatility, and
Once installed, the DCRat C2 administration allows continuous updates, which make it a significant cybersecurity
attackers to upload modules to the infected host, execute threat. DCRat allows threat actors to take control over an
commands remotely, and exfiltrate data. DCRat uses a modular infected machine and steal sensitive information such as
framework that deploys separate executables for each module, clipboard contents and personal credentials from apps. DCRat is
most of which are compiled .net binaries programmed in C#. developed and maintained by a single user who actively markets

45
 Read more: Boosty | Sponsr | TG
their product on several underground forums as well as a • The ability to collect information about the system (CPU
Telegram channel. This is unlike most other RATs, which are and GPU stats, etc.)
typically the work of sophisticated and well-resourced cyber-
criminal groups. 2) Network IoC’s features
The most common indicators of compromise (IOCs) for
DCRat differs from other RATs in several ways. It can also DCRat attacks relate to the following networks features:
function as a loader, dropping other types of malware on the
infected computer. DCRat uses three distinct techniques for • Network Traffic: DCRat communicates with its
persistence on the compromised host: creating a scheduled task, Command & Control (C2) server to exfiltrate data and
creating a Registry Run Key, and creating a Winlogon Autostart receive commands. This communication can be
Registry Key. It also uses the W32tm “stripchart” command as detected as unusual network traffic
a delay tactic for its execution and beaconing, which is not
commonly used by other RATs. • Data Collection: DCRat collects sensitive information
from compromised hosts, such as server type,
In terms of effectiveness, DCRat is surprisingly effective username, and GPU info, which can be detected by
despite its low cost. The malware is under active development, monitoring for unusual data access or movement
with new capabilities being added regularly. It is also capable of
evading detection by security software, making it a potent • Persistence Mechanisms: DCRat uses several
cybersecurity threat. techniques for persistence, including creating a
scheduled task, creating a Registry Run Key, and
The most common features of other remote access trojans creating a Winlogon Autostart Registry Key. These
include the ability to establish complete to partial control over entries can be detected by monitoring for changes in
infected computers, the capability to spawn a child process, and the system's scheduled tasks, registry, and startup
the use of the Task Scheduler to ensure persistence within the processes
compromised system. They can also exfiltrate sensitive
information, establishing connections with command and • DDoS Attacks: DCRat can orchestrate Distributed
control (C2) servers. Some RATs, like njRAT, operate on the Denial of Service (DDoS) attacks against targeted
.NET framework and enable hackers to remotely control a websites. This can be detected by monitoring for
victim's PC, giving them access to the webcam, keystrokes, and unusual network traffic patterns or an increase in
passwords stored in web browsers and desktop apps. requests to a specific website

F. DCRat Detection • Dynamic Code Execution: DCRat has the ability to

execute code in multiple programming languages. This
1) Common IoC’s features can be detected by monitoring for unusual code
The most common indicators of compromise (IOCs) for execution or process behavior
DCRat attacks relate to the following features:
• Information Theft: DCRat can facilitate the theft of
• Monitoring the infected host by logging and exfiltrating sensitive data from victim devices, including capturing
keystrokes and screenshots screenshots and harvesting credentials. This can be
• Stealing information from browsers, such as session detected by monitoring for unusual data access
cookies, auto-fill credentials, personal information, and • Crypto-Mining: Instances of DCRat deploying
credit card details, including popular FTP applications crypto-mining software on victim endpoints have been
• The ability to record the victim's keystrokes, which can documented. This can be detected by monitoring for
be used to steal passwords and other sensitive unusual CPU usage or network traffic
information

46
 Read more: Boosty | Sponsr | TG

IX. COMMON
VULNERABILITY
SCORING SYSTEM
(CVSS) V4

47
 Read more: Boosty | Sponsr | TG
additional insight into the characteristics of a
vulnerability
• Changes to Vector String: The Vector String has been
updated to begin with CVSS:4.0 rather than CVSS:3.1.
Although no other changes have been made to the
Vector String, CVSS v4.0 contains changes to the
definition of some of the metric values and to the
formulas
• Improved Guidance: CVSS v4.0 provides improved
guidance to CVSS analysts to produce consistent scores.
It also provides guidance on scoring vulnerabilities in
software libraries and supports multiple CVSS scores
for the same vulnerability that affects different platforms
or operating systems
• Enhanced Clarity and Simplicity: CVSS v4.0 aims to
provide a more streamlined scoring process, reducing
subjectivity through clearer metric guidance and
definitions
• Focus on Resiliency: The latest iteration of CVSS
introduces a renewed focus on resiliency, particularly in
the early stages of an exploit, addressing the increasing
A. Introduction concerns around the security of operational technology
The Common Vulnerability Scoring System (CVSS) version (OT), industrial control systems (ICS), and the Internet
4.0 is the latest iteration of the industry-standard scoring system of Things (IoT)
for assessing and quantifying the severity and impact of software
vulnerabilities. • Renaming of Key Metrics: The Temporal metrics in
CVSS 3.1 have been renamed to Threat Metrics in
CVSS v4.0 introduces several significant changes and CVSS 4.0
improvements over the previous version (v3.1) to provide a
more granular, accurate, and comprehensive assessment of • User Interaction: CVSS 4.0 has made the User
vulnerabilities. Interaction metric more granular. While CVSS 3.1 had
the values None (N) or Required (R) for this metric,
This analysis will delve into various facets of CVSS v4.0, CVSS 4.0 has expanded the options to Active, Passive,
including its enhanced metrics, the introduction of new and None
categories, and the implications these changes have for
cybersecurity professionals and organizations. By dissecting the • New Base Metrics and Values: CVSS 4.0 introduces
CVSS v4.0 specification, we will offer a qualitative summary new base metrics and values, providing a more granular
that encapsulates the core improvements and modifications from and accurate assessment of vulnerabilities
its predecessor, CVSS v3.1, thereby equipping readers with a • Assessing Effects on Vulnerable and Subsequent
nuanced understanding of its impact on vulnerability Systems: CVSS 4.0 provides clearer insight into the
management processes. Through a meticulous examination of impact of vulnerabilities on both the vulnerable system
the CVSS v4.0 framework alongside insights from cybersecurity and subsequent systems
experts, this analysis endeavors to provide a clear, actionable
guide for effectively leveraging CVSS v4.0 in enhancing • Simplifying Threat Metrics: The Threat metrics in
organizational security postures. CVSS 4.0 have been simplified to focus only on Exploit
Maturity
B. Key changes
Key Updates in CVSS v4.0 as for now: • New Supplemental Metric Group: CVSS 4.0
introduces a new Supplemental Metric Group for
• New Base Metrics and Values: CVSS v4.0 introduces Enhanced Extrinsic Attributes
new base metrics that capture additional aspects of risk,
such as the potential consequences of a successful • Attack Requirements: CVSS 4.0 introduces a new base
attack, including explicit assessment of impact to metric, "Attack Requirements", which gets the value
Vulnerable System (VC, VI, VA) and Subsequent "Present" if there is a pre-attack requirement
Systems (SC, SI, SA) • Scope Changes: The "Scope" feature from CVSS v3.1
• Simplified Threat Metrics: The Temporal Score has was retired and replaced with the concepts of
been renamed to Threat Metric Group and now includes "Vulnerable System" and "Subsequent System"
only one metric, which is Exploit Maturity • Support for Multiple Scores: CVSS 4.0 is designed to
• New Supplemental Metric Group: This group is support multiple CVSS scores for the same vulnerability
introduced for Enhanced Extrinsic Attributes, providing that affects different platforms, operating systems, etc

48
 Read more: Boosty | Sponsr | TG

• Guidance for Other Sectors: CVSS 4.0 provides • Enhanced Fidelity in Vulnerability Assessment – The
guidance to extend the CVSS framework for other objective behind CVSS v4.0 is to offer enhanced fidelity
industry sectors such as privacy, automotive, etc in vulnerability assessment for the industry and the
public, incorporating various refinements to improve the
C. Benefits of using cvss v4.0 over previous versions accuracy of vulnerability scoring
CVSS v4.0 improves vulnerability assessments by
introducing several enhancements that provide a more nuanced D. Finer-grained metrics in cvss v4.0 & Scoring process
and accurate representation of the risks associated with software CVSS v4.0 introduces several finer-grained metrics to
vulnerabilities: provide a more nuanced understanding of the technical
characteristics of vulnerabilities. One of the key changes is a
• More Granular Base Metrics – CVSS v4.0 includes more granular breakdown of the Base Metrics, which includes
new base metrics and values that capture additional new values for User Interaction, categorized as either Passive or
aspects of risk, such as the potential consequences of a Active. The User Interaction (UI) metric in CVSS v4.0 provides
successful attack. This includes explicit assessment of more granularity to the amount of interaction required.
impact to Vulnerable System (VC, VI, VA) and Additionally, CVSS v4.0 introduces a new Attack Requirement
Subsequent Systems (SC, SI, SA), which allows for a metric, which provides more granularity in capturing the
more detailed understanding of the vulnerability's prerequisite conditions enabling an attack.
impact
CVSS v4.0 simplifies the scoring process in several ways.
• Integration of Threat Intelligence – The Threat The Threat Metrics, previously known as Temporal Metrics,
Metrics group in CVSS v4.0 adjusts the severity of a have been simplified and renamed to emphasize real-time
vulnerability based on real-time factors, such as the vulnerability assessment. Remediation Level (RL) and Report
availability of proof-of-concept code or active Confidence (RC) have been retired, and Exploit "Code"
exploitation. This integration of threat intelligence Maturity has been renamed to Exploit Maturity (E). The
ensures that the scoring reflects the current threat Temporal Metrics have been simplified to help consumers better
landscape and the likelihood of an attack understand the risk of vulnerabilities. The scoring system in
• Environmental Metrics – CVSS v4.0's Environmental CVSS v4.0 is simpler and more flexible compared to previous
Metrics further refine the severity score to a specific versions, aiming to provide a universal framework for scoring
computing environment. They consider factors such as different vulnerabilities.
the presence of mitigations and the criticality of the E. List of Metrics
affected system within the user's environment, allowing
for a more tailored risk assessment The Common Vulnerability Scoring System (CVSS) version
4.0 consists of four metric groups: Base, Threat, Environmental,
• Simplified Threat Metrics – The Threat Metrics group, and Supplemental.
previously known as Temporal Metrics, has been
simplified to focus on the most critical aspect of real- The Base metric group represents the intrinsic
time vulnerability assessment—Exploit Maturity. This characteristics of a vulnerability that are constant over time and
simplification helps users better understand the risk of across user environments. The Base Score is calculated using a
vulnerabilities specific formula that examines factors such as the vulnerability's
impact on integrity, confidentiality, availability, exploitability,
• Enhanced Clarity and Simplicity – CVSS v4.0 aims and scope.
to reduce ambiguities and inconsistencies in The Threat metric group, previously known as the
vulnerability assessments that were common in previous Temporal Metrics Group, provides additional context to the
versions. The new version provides clearer metric Base metrics. However, the Threat metrics do not significantly
guidance and definitions, which should lead to more impact the final CVSS score.
consistent scoring
The Environmental metric group represents the
• Support for Multiple Scores – The new framework is characteristics of a vulnerability that are unique to a user's
designed to support multiple CVSS scores for the same environment. These metrics allow organizations to customize
vulnerability when it affects different platforms or the CVSS scores based on their specific environment. However,
operating systems, providing a more comprehensive the Environmental metrics are specified by users and do not
assessment directly impact the publicly visible CVSS scores, which are
• Focus on Resiliency – CVSS v4.0 introduces a renewed based solely on the Base Score.
focus on resiliency, particularly in the early stages of an The Supplemental metric group is a new addition in CVSS
exploit, which is increasingly important for the security v4.0. It includes metrics that provide additional context, such as
of operational technology (OT), industrial control Automatable, Value Density, Recovery, Provider Urgency, and
systems (ICS), and the Internet of Things (IoT) Vulnerability Response Effort. However, the Supplemental
• Vendor-Supplied Severity and Impact Scoring – The metrics are optional and do not have any impact on the final
framework now integrates vendor-supplied severity and calculated CVSS score.
impact scoring, accommodating a wider range of 1) Base Metrics
perspectives and aligning the scoring process more The Base Metrics represent the intrinsic qualities of a
closely with real-world scenarios vulnerability. They include:

49
 Read more: Boosty | Sponsr | TG

• Attack Vector (AV) technical severity of a vulnerability when considered in

isolation. This score is essential when analyzing a vulnerability
• Attack Complexity (AC) and helps in prioritizing vulnerabilities based on their inherent
• Privileges Required (PR) characteristics

• User Interaction (UI) 2) Threat Metrics

The Threat Metrics, previously known as Temporal Metrics,
• Scope (S) adjust the severity of a vulnerability based on real-time factors.
They include:
• Impact Metrics: Vulnerable System Confidentiality
(VC), Integrity (VI), Availability (VA), and Subsequent • Exploit Maturity (E)
System(s) Confidentiality (SC), Integrity (SI),
Availability (SA) • Remediation Level (RL)

a) Purpose • Report Confidence (RC)

The Base metric group represents the intrinsic qualities of a a) Purpose
vulnerability that are constant over time. It is composed of two The purpose of the Threat metric group is to adjust the
sets of metrics: the Exploitability metrics and the Impact severity of a vulnerability based on factors such as the
metrics. The Exploitability metrics reflect the ease and technical availability of proof-of-concept code or active exploitation. This
means by which the vulnerability can be exploited, while the group captures vulnerability characteristics related to a threat,
Impact metrics reflect the direct consequences of a successful which may change over time.
exploit. The Base metrics help determine the initial severity
score for a vulnerability. In CVSS v3.1, the base metric group For example, it can capture information such as whether the
consisted of four main metrics: Attack Vector (AV), Attack vulnerability has been exploited or if there is any proof-of-
Complexity (AC), Privileges Required (PR), and User concept exploit available. The values found in this metric group
Interaction (UI). CVSS 4.0 introduced a metric called the Attack may change over time, reflecting the evolving threat landscape.
Requirements (AT) to increase the granularity of the scoring
system b) Impact on Score
The Threat metric group impacts the final CVSS score by
b) Impact on Score adjusting the severity of a vulnerability based on the threat
The Base metrics produce a score ranging from 0 to 10, landscape. The absence of explicit Threat metric selections will
which can then be modified by scoring the Threat and still result in a score, but the inclusion of the “T” in the
Environmental metrics. The Base score only reflects the nomenclature is appropriate if any Threat metrics are used to
technical severity of a vulnerability when considered in adjust the score
isolation. It's important to note that the Base score is only the
starting point for building a full picture of the risk associated c) Usage
with a vulnerability. The Threat metric group is used to refine the severity score
of a vulnerability based on applicable threat intelligence. It is
c) Usage used in combination with the Base metric group, which
The Base metric group is used to assess the fundamental represents the intrinsic qualities of a vulnerability that are
qualities of a vulnerability that maintain their constancy over constant over time, and the Environmental metric group, which
time. It is used to evaluate the severity of vulnerabilities and their represents the characteristics of a vulnerability that are unique to
impact on organizations without considering temporal or a specific computing environment.
environmental factors
d) Calculation
d) Calculation The Threat Metrics in the Common Vulnerability Scoring
The Base Metrics are divided into Exploitability Metrics and System (CVSS) version 4.0 adjust the severity of a vulnerability
Impact Metrics. When these Base Metrics are assigned values based on factors such as the availability of proof-of-concept
by an analyst, they result in a score ranging from 0.0 to 10.0. code or active exploitation. These metrics reflect the
characteristics of a vulnerability related to threat that may
The CVSS v4.0 calculator, which is a reference change over time.
implementation of the CVSS standard, can be used for
generating scores based on the values of these metrics. The In CVSS v4.0, the Threat Metrics replaced the Temporal
calculator applies the formula specified in the CVSS version 4.0 Metrics from previous versions, resulting in clearer and
standard to produce the Base Score simplified metrics. The Remediation Level (RL) and Report
Confidence (RC) metrics, which were part of the Temporal
e) Prioritizing vulnerabilities Metrics in previous versions, have been removed in CVSS v4.0.
Base metrics represent the intrinsic qualities of a
vulnerability that are constant over time and across user The values assigned to the Threat Metrics are used in the
environments. They include exploitability metrics (such as calculation of the final score, along with the Base and
Attack Vector, Attack Complexity, Attack Requirement, Environmental Metrics. If explicit Threat Metric values are not
Privileges Required, and User Interaction) and vulnerable provided, default values that assume the highest severity are
system impact metrics (such as Confidentiality, Integrity, and used.
Availability) and subsequent system impact metrics. The Base The CVSS v4.0 calculator, which is a reference
metrics produce a score ranging from 0 to 10, which reflects the implementation of the CVSS standard, can be used for

50
 Read more: Boosty | Sponsr | TG
generating scores based on the values of these metrics. The Base Score of a vulnerability to reflect the impact within a
calculator applies the formula specified in the CVSS version 4.0 specific organizational context. These metrics account for the
standard to produce the final score, which includes the Threat protection goals of the affected system and the presence of
Metrics. security controls that mitigate vulnerability.
e) Prioritizing vulnerabilities The Environmental Metrics are calculated by first
Threat metrics, previously known as Temporal Metrics, determining the Modified Base Metrics, which are the Base
adjust the severity of a vulnerability based on factors such as the Metrics adjusted for the presence of mitigations or compensating
availability of proof-of-concept code or active exploitation. controls. The Security Requirements are used to indicate the
These metrics reflect the characteristics of a vulnerability that importance of the affected IT asset to the organization, which
change over time, such as whether the vulnerability has been can amplify or reduce the severity based on the asset's criticality.
exploited or if any proof-of-concept exploit exists. The values in The Collateral Damage Potential metric reflects the potential for
this metric group may change over time, and they help in real- non-direct damage to the environment or entities beyond the IT
time vulnerability assessment. By considering the likelihood of asset.
exploitation and the potential impact of a successful attack, The final Environmental Score is derived by combining the
CVSS v4.0 aims to offer a more holistic and accurate assessment Modified Base Metrics with the Security Requirements and
of vulnerabilities. Collateral Damage Potential, using a formula specified in the
3) Environmental Metrics CVSS v4.0 Specification Document. This score provides a more
The Environmental Metrics allow organizations to tailored assessment of the vulnerability's severity within the
customize the CVSS scores based on their specific environment. specific environment of the organization
They include: e) Prioritizing vulnerabilities
• Modified Base metrics Environmental metrics further refine the resulting severity
score to a specific computing environment. They consider
• Collateral Damage Potential (CDP) factors such as the presence of mitigations in that environment
and the criticality of the systems. These metrics are specified by
• Security Requirement metrics: Confidentiality users and can lead to a disconnect between the score and the
Requirement of the vulnerable system (CR), Integrity actual risk in the real world due to their subjective nature.
Requirement of the vulnerable system (IR), and However, they are crucial in providing a more precise
Availability Requirement of the vulnerable system (AR) assessment of vulnerabilities in a specific environment, thus
a) Purpose enhancing vulnerability prioritization and risk management.
The Environmental Metric Group in CVSS v4.0 represents 4) Supplemental Metrics
the characteristics of a vulnerability that are unique to a user's The Supplemental Metrics provide additional context and
environment. It allows organizations to adjust the Base Score of describe aspects of a vulnerability that are outside the core
a vulnerability to reflect its impact within their specific context. CVSS standard. They include:
This group accounts for the presence of security controls that
may mitigate some or all consequences of a vulnerability and the • Automatable (A)
relative importance of a vulnerable system within a technology
infrastructure. • Value Density (VD)

b) Impact on Score • Recovery (R)

The Environmental Metrics enable analysts to customize the • Provider Urgency (PU)
CVSS score with inputs regarding IT asset importance and the
presence of mitigations, which can increase or decrease the • Vulnerability Response Effort (VRE)
severity of a vulnerability. These metrics are modifiers to the a) Purpose
base metric group and are designed to account for aspects of an
enterprise that might influence the severity of a vulnerability. . The purpose of the Supplemental Metric Group is to provide
The Environmental Metric Group impacts the final CVSS score users with contextual information that allows for a more
by allowing adjustments based on the specific environment nuanced understanding of vulnerabilities. These metrics offer
where the vulnerability exists. valuable insights into extrinsic aspects of vulnerabilities,
allowing consumers to delve deeper into specific contextual
c) Usage considerations. They are designed to provide a more complete
The Environmental Metric Group is used to tailor the CVSS understanding of vulnerabilities by describing and measuring
score to an organization's unique environment, considering additional extrinsic attributes
factors such as the importance of the affected IT asset and the b) Impact on Score
effectiveness of existing security controls. These metrics are the
modified equivalent of the Base Metrics and are specified by Unlike core CVSS metrics, Supplemental metrics do not
users to provide a more accurate assessment of the risk posed by contribute to the calculation of CVSS scores. They do not have
a vulnerability in their specific operational context. any impact on the final calculated CVSS score. Instead, they
serve as supplementary information for a more nuanced
d) Calculation vulnerability assessment. Organizations may then assign
The Environmental Metrics in the Common Vulnerability importance and/or effective impact of each metric, or
Scoring System (CVSS) version 4.0 are designed to adjust the set/combination of metrics, giving them more, less, or absolutely
no effect on the final risk analysis

51
 Read more: Boosty | Sponsr | TG

c) Usage • Purpose: These groups contain metrics that directly

The usage of each metric within the Supplemental metric contribute to the calculation of the CVSS score,
group is determined by the scoring consumer. This contextual reflecting the intrinsic qualities of a vulnerability
information may be employed differently in each consumer’s (Base), the real-time threat landscape (Threat), and the
environment. The information consumer can then use the values specific impact within an organizational context
of these Supplemental Metrics to take additional actions if they (Environmental)
so choose, applying locally significant importance to the metrics • Impact on Score: The metrics in these groups directly
and values affect the final CVSS score, with each group providing
d) Calculation a different perspective on the severity and impact of the
The Supplemental Metrics in the Common Vulnerability vulnerability
Scoring System (CVSS) version 4.0 are a new addition designed • Usage: The Base Metrics are provided by the
to provide additional context and describe extrinsic attributes of organization maintaining the vulnerable system or a
a vulnerability. These metrics are optional and do not contribute third party, while the Threat and Environmental
to the calculation of the final CVSS score. Instead, they serve as Metrics are intended for end consumers to enrich the
supplementary information for a more nuanced vulnerability Base metrics with additional context
assessment.
F. Operational technology exposure metrics in cvss v4.0
The usage and response plan of each metric within the
Supplemental metric group is determined by the scoring In CVSS v4.0, new metrics have been introduced to address
consumer. This contextual information may be employed the exposure and impact of vulnerabilities in Operational
differently in each consumer’s environment. Organizations may Technology (OT). These metrics are particularly relevant due to
then assign importance and/or effective impact of each metric, the increasing concerns around the security of OT, industrial
or set/combination of metrics, giving them more, less, or control systems (ICS), and the Internet of Things (IoT). The
absolutely no effect on the final risk analysis. updates aim to provide a more accurate assessment of the risks
associated with vulnerabilities in these environments
e) Prioritizing vulnerabilities
1) Safety Metrics
Supplemental metrics are a new addition in CVSS v4.0. Safety metrics have been added to both the Supplemental
They measure extrinsic attributes of a vulnerability and provide and Environmental metric groups in CVSS v4.0. These metrics
contextual information. These metrics do not affect the assess the potential safety impact of exploiting a vulnerability,
vulnerability score but can be used to inform the companies that which is especially important in sectors like healthcare or
purchase the products. They include concepts such as industrial control systems where safety is a critical concern
“Automatable,” “Recovery,” and “Mitigation Effort,” which
provide additional context for vulnerability and remediation 2) OT-Specific Considerations
teams The new metrics for Operational Technology exposure
include considerations for whether the "consequences of the
5) Differences vulnerability meet the definition of IEC 61508," which is a
The Supplemental Metric Group is used to provide standard for the functional safety of
additional context and does not affect the CVSS score, whereas electrical/electronic/programmable electronic safety-related
the Base, Threat, and Environmental Metric Groups contribute systems . This inclusion reflects the growing concern about OT
directly to the scoring process and are essential for calculating cyber risk and the need for a scoring system that can adequately
the severity of a vulnerability. The Supplemental Metric Group capture the unique risks associated with OT environments
in CVSS v4.0 is distinct from the Base, Threat, and
Environmental Metric Groups in several ways: 3) Impact on Vulnerable and Subsequent Systems
Supplemental Metric Group: CVSS v4.0 also emphasizes evaluating the impact of
vulnerability exploitation on both the vulnerable system and
• Purpose: Provides additional context and describes subsequent systems. This is particularly relevant for OT
extrinsic attributes of a vulnerability that are outside the environments where a vulnerability in one component could
core CVSS standard potentially have cascading effects on other interconnected
systems
• Impact on Score: The metrics in this group do not
impact the final calculated CVSS score. They are 4) Use of Supplemental and Environmental Metrics
optional and are used to convey additional information While the Supplemental metrics do not directly impact the
that may influence an organization's risk analysis and final CVSS score, they provide valuable contextual information
response plan that can be used by organizations to inform their risk analysis
and response plans. The Environmental metrics allow for
• Usage: The usage and response plan of each metric customization of the CVSS scores based on the specific
within the Supplemental Metric Group is determined environment, which can include OT settings
by the scoring consumer, and this contextual
information may be employed differently in each
consumer’s environment
Base, Threat, and Environmental Metric Groups:

52
 Read more: Boosty | Sponsr | TG

X. RANSOMWARE Q3

53
 Read more: Boosty | Sponsr | TG
• Ransomware Gangs: Several ransomware gangs were
shut down in 2023, including Hive, RansomedVC, and
ALPHV. However, new and evolving players such as
Hunters International, Dragon Force, and WereWolves
emerged.
• Ransomware Payment: The average enterprise ransom
payment exceeded $100,000, with a $5.3 million
average demand. However, 80% of organizations have
a "Do-Not-Pay" policy on ransomware, and only 41% of
organizations attacked last year paid the ransom.
• Ransomware Insurance: 77% of organizations found
out that ransomware is specifically excluded from their
security insurance. Insurance companies are catching
on, with 74% seeing their premiums increase, 43%
seeing increased deductibles, and 10% seeing their
coverage benefits reduced.
• Ransomware Targets: manufacturing sector emerged
as a prime target for 48 distinct ransomware groups In
US.
• High-Profile Attacks: High-profile attacks were
carried out on Toyota, Boeing, and more using a Citrix
Bleed vulnerability (CVE-2023-4966).
• Ransomware as a Service (RaaS): The proliferation of
RaaS was a notable trend in 2023, simplifying the
A. Introduction execution of ransomware attacks for cybercriminals.
According to different reports the year 2023 is considered • Prominent Ransomware Groups: Groups such as
the most successful year for ransomware groups in history, with CL0P played a major role in the spike of ransomware
a total of 4,368 victims, marking a rise of over 55.5% since the activity in 2023, with CL0P exploiting the file transfer
previous year. Q2 and Q3 alone claimed more victims than the software and impacting over 130 victims.
entirety of 2022, with 2,903 victims. In Q2 2023, there was a
significant increase of 67% in ransomware cases compared to • Ransomware Success: The year 2023 is noted as the
most successful year for ransomware groups
the previous quarter, with ransomware groups compromising historically, with a total of 4,368 victims, which is a
1,386 victims worldwide. 55.5% increase from the previous year. The second and
Below, we will analyze in detail the public materials on third quarters of 2023 alone surpassed the total number
of victims in 2022, with 2,903 victims.
ransomware for the third quarter of 2023, delving into various
aspects of the current situation, changing trends in attacks, • Q2 2023 Ransomware Surge: There was a 67%
industries and the geography of the phenomenon. The materials increase in ransomware cases in Q2 2023 compared to
make it possible not only to assess the quantitative factors of the previous quarter, with 1,386 victims globally.
incidents, but also to provide a qualitative synthesis of these Leading ransomware groups during this period were
tactics used by attackers and the consequences for cybersecurity LockBit3.0, ALPHV, and Cl0p.
strategies in the future. The purpose of the analysis is to provide • MOVEit Campaign: The MOVEit campaign was
readers with useful information and a deeper understanding of singled out as the most successful of the year,
the phenomenon of ransomware in its current form and its underscoring the significance of supply chain attacks
trajectory in the field of cybersecurity and the need for robust version control and attack
surface understanding. The United States was the
B. 2023 Ransomware Overview primary target, with approximately 64% of the cases.
• Ransomware Attacks Increase: The number of known • Record-Breaking Q3 2023: Q3 2023 was the most
attacks, where the victim did not pay a ransom, was 457 successful quarter ever for ransomware, with the
in November alone; the total number of attacks recorded industry heavily impacted by the exploitation of critical
was 1,900, and the undisclosed attacks were a massive vulnerabilities. The rise of new ransomware groups and
1,815 in the first six months of the year. The number of families contributed to this growth.
ransomware-related posts was 4,082, with an average of
371.1 posts per month. C. Highlight on MOVEit Campaign
• Ransomware Attacks on Healthcare Sector: with a • Exploitation: CVE-2023-34362 affected both on-
278% increase in ransomware attacks on the health premises and cloud-based versions of MOVEit related
sector over the past four years. The large breaches to SQL injection, a common entry point into
reported in 2023 affected over 88 million individuals, a applications that enables data manipulation or database
60% increase from the previous year. access.

54
 Read more: Boosty | Sponsr | TG
• The Perpetrators: The Clop group was responsible for • Future Trends: Based on the activity at the end of Q3
the attacks and they were also linked to the GoAnywhere and early Q4, it is expected that the numbers will surpass
and PaperCut incidents earlier in the same year. anything witnessed in previous years
• The Impact: The campaign had a significant impact, F. Outlook for 2024
affecting over 1,062 organizations and approximately • Continued Growth of Ransomware: the ransomware
65,435,641 individuals by the end of August 2023. The industry will reach new heights in 2024, continuing to
victims spanned a range of industries and included both deliver a high number of victims as promising
private entities and public sector organizations. newcomers establish their presence
• The Response: Progress Software responded promptly • Supply Chain Attacks: Ransomware groups are
to the discovery of the vulnerability, issuing a patch and expected to take advantage of and compromise supply
advising customers to apply it immediately. However, chain infrastructures while still sticking to traditional
the victim count continued to grow months later, methods such as exploiting old leaked credentials and
suggesting that many organizations were breached in the using social engineering techniques
first few days and weeks of the campaign.
• Ransomware Trends: ransomware industry is expected
• The Aftermath: The MOVEit campaign highlighted to evolve with new groups and tactics emerging.
the importance of proactive cybersecurity and
vulnerability management as well as potential damage • Law Enforcement and Industry Efforts: Efforts to
that can be caused by supply chain cyber-attacks, as combat ransomware will continue, with a focus on
many organizations were compromised not because shutting down major cyber groups and preventing
they used MOVEit directly, but because they employed attacks
third-party contractors or subcontractors who did.
• Ransomware Insurance: As ransomware attacks
D. Geographical Impact increase, the role of insurance in cybersecurity will
• Global Spread of Ransomware: Cybercriminals become more critical, with organizations needing to
expanded their geographical reach in 2023, taking navigate the complexities of coverage for ransomware
proven malware tools to new countries and regions. incidents
• Countries Most Affected: The United States was the • Technological Developments: The cybersecurity
most affected country, with the highest number of landscape will continue to evolve, with a shift towards
breached accounts. Other countries significantly more comprehensive defense strategies that include
impacted by ransomware attacks included the UK and prevention, detection, remediation, and forensics
Canada, Mozambique, Angola, and Ghana. • Global Impact: The geographical impact of
• Ransomware by Industry: Ransomware attacks ransomware is expected to remain significant, with
affected some verticals more than others. The top targets cybercriminals continuing to target a wide range of
by industry included education, construction and countries and industries
property, central and federal government, media, • Ransomware Variants: The emergence of new
entertainment and leisure, and local and state gov. ransomware strains and the continued activity of
• Ransomware Trends: New ransomware groups like existing ones will likely persist, posing ongoing
Rhysida, BianLian, IceFire, Sparta, Bl00dy emerged, challenges for cybersecurity defenses
underscoring the evolving nature of the industry. G. Conclusion
E. Q3 2023: A Record Quarter • Ransomware in 2023: 2023 was a record-breaking year
• Record-Breaking Ransomware Activity: The third for the ransomware industry, with a significant increase
quarter of 2023 witnessed a significant surge in in the number of attacks. The most targeted sector was
ransomware activity, with global ransomware attack the business services sector, followed by the retail and
frequency up by 11% over Q2 and 95% year-over-year. manufacturing sectors
• Ransomware Victims: The number of ransomware • Ransomware Industry Growth: Despite the efforts of
victims in 2023 has already surpassed what was law enforcement, the ransomware industry continued to
observed for 2021 and 2022. grow rapidly. New groups emerged, and existing groups
like LockBit3.0, ALPHV, and Cl0p caused severe
• Emerging Ransomware Groups: New ransomware damage to organizations worldwide
groups such as MalasLocker, 8base, and Nokoyawa
gained attention in Q3 2023. In their first quarter of • Law Enforcement Efforts: Law enforcement
operations, these groups collectively claimed a total of authorities worldwide have been working to stop the
305 victims. growth of the ransomware industry. They had some
success in shutting down several major cybercrime
• Ransomware by Industry: Ransomware attacks groups, such as HIVE
affected some sectors more than others. The sectors
hardest hit by the record-breaking spike in ransomware • Outlook for 2024: the ransomware industry will
attack frequency included law practices, government continue to grow in 2024, with new and existing groups
agencies, manufacturing, oil and gas, transportation, posing significant threats to organizations worldwide
logistics, and storage sectors.

55
 Read more: Boosty | Sponsr | TG

XI. RANSOMWARE Q4

56
 Read more: Boosty | Sponsr | TG

The Quarterly Threat Report by Air IT highlighted that

ransomware attacks, phishing, and insider threats continued to
pose significant risks, with a surge in data volume and global
connectivity widening vulnerabilities. The report from ISACA's
State of Cyber Security for 2023 indicated that 48% of
organizations experienced a rise in cyber attacks in Q4 2023.
TechTarget's report on ransomware trends heading into 2024
suggested that supply chain attacks and the exploitation of cloud
and VPN infrastructure would continue to be key trends. The
report also mentioned that since 2020, more than 130 different
ransomware strains have been detected, with the GandCrab
family being the most prevalent.
The environmental services industry faced an unprecedented
surge in DDoS attacks, with a 61,839% increase in attack traffic
year-over-year, as reported by Cloudflare. This surge was
associated with the COP 28 event and highlighted the growing
intersection between environmental issues and cyber threats.
Trend Micro's report on ransomware in the first half of 2023
showed that LockBit, BlackCat, and Clop were the top RaaS
groups, with a significant increase in the number of victim
organizations compared to the last half of 2022.
Check Point Research described 2023 as the year of mega
Abstract – The analysis of the ransomware trends for the 4th quarter ransomware attacks, with a shift in tactics from encryption to
of 2023 aims to understand the multifaceted threat landscape leveraging stolen data for extortion. The education/research
associated with ransomware. sector was the most impacted by ransomware attacks in 2023.

Delving into the specifics, we intend to reveal the nuances of B. Affected industries
ransomware operations, including the identification of the dominant • In Q4 2023, the industries most affected by ransomware
groups of ransomware, their target sectors and the geographical attacks were the business services sector,
distribution of attacks. education/research sector, and the retail/wholesale sector.
Furthermore, the analysis will highlight significant trends, such as • The business services sector was the most targeted sector.
the surge in ransomware incidents, the evolution of extortion tactics, The United States, being the most targeted country, likely
and the implications of these developments on cybersecurity contributed to the high number of attacks on this sector.
strategies.
• The education/research sector was also heavily impacted
This knowledge will be useful for both technical and strategic by ransomware attacks, accounting for 22% of all attacks
security professionals, offering information that can guide the in 2023, according to Check Point Research.
development of reliable protection mechanisms, inform risk
management decisions and, ultimately, increase the resilience of • The retail/wholesale sector experienced a significant 22%
organizations to the ever-present threat of ransomware. spike in attacks weekly compared to 2022, as reported by
Check Point Research.
The significance of this analysis extends beyond mere academic Other industries that were notably affected include the IT,
interest; it equips security practitioners with actionable intelligence,
healthcare, and manufacturing sectors, which were the most
enabling them to anticipate and counteract the sophisticated
strategies employed by ransomware operators.
targeted sectors in terms of ransomware file detections in the
first half of 2023, according to Trend Micro. The report from
A. Introduction TechTarget also listed several industries as top targets, including
construction and property, central and federal government,
In Q4 2023, the most common types of ransomware attacks media, entertainment and leisure, local and state government,
were primarily carried out by three groups: LockBit 3.0, Clop energy and utilities infrastructure, distribution and transport,
Ransomware, and ALPHV/BlackCat ransomware. financial services, and business, professional and legal services.
LockBit 3.0 remained the most active ransomware group, C. Takeaways from Ransomware Q4
claiming an average of around 23 victims per week. Other
prominent groups included Clop Ransomware and • Record Number of Victims: The year 2023 marked the
ALPHV/BlackCat ransomware. Notable incidents included most successful year for ransomware groups in history,
LockBit's attack on Royal Mail and the shutdown of Hive with a total of 4,368 victims, which is a 55.5% increase
Ransomware. from the previous year. The fourth quarter alone saw
1,386 victims

57
 Read more: Boosty | Sponsr | TG

• Dominant Ransomware Groups: LockBit 3.0 from Q3 2022, and the median payment being $185,972, a 342%
remained the most active ransomware group, claiming increase from Q3 2022. This increase in payment amounts was
an average of around 23 victims per week. Clop seen as a tactic by cybercriminals to compensate for the
Ransomware and ALPHV/BlackCat ransomware were declining number of victims willing to pay ransoms.
also prominent, with 104 and 81 victims respectively
E. Ransomware Entry Points
• High-Profile Incidents: Notable incidents included • Phishing Attacks: Phishing attacks were the primary
LockBit's attack on Royal Mail and the shutdown of delivery method for ransomware, with 62% of
Hive Ransomware successful ransomware attacks using phishing as their
• Industry Impact: The business services sector, entry point in the victim's system. Phishing attacks rose
education/research sector, and the retail/wholesale by 173% in Q3 2023. Attackers used increasingly
sector were among the most affected by ransomware sophisticated social engineering techniques to trick
employees into providing sensitive information
• Geographical Focus: The United States was the most
targeted country, followed by the UK and Canada • Exploitation of Vulnerabilities: Vulnerabilities in
software and systems were another common entry point.
• Trends in Attack Techniques: There was a shift in For instance, the ransomware group CL0P exploited
tactics from encryption to leveraging stolen data for GoAnywhere file transfer software. Two new
extortion, with attackers focusing more on data theft and ransomware strains, CACTUS and 3AM, emerged in Q4
extortion campaigns that did not necessarily involve 2023, with CACTUS exploiting known vulnerabilities
data encryption in VPN appliances
• Ransomware Strains: Since 2020, more than 130 • Credential Theft and Brute Force Attacks: Credential
different ransomware strains have been detected, with theft was used in 44% of successful ransomware attacks,
the GandCrab family being the most prevalent and brute force credentials, such as password guessing,
were used in 17% of attacks
• Increased Response from Governments and
Vendors: There has been an increased response from • Supply Chain Attacks: Attackers targeted third-party
government and technology vendors to help stem the vendors to gain access to an organization’s network
tide of ransomware attacks
• Insider Threats: Insider threats continued to pose
• Ransomware as a Service (RaaS): RaaS remains a key significant risks to organizations
driver for the ongoing frequency of attacks, with groups
like LockBit operating under this model • Social Engineering Attacks: these attacks, including
Business Email Compromise (BEC), were also common
• Extortion Tactics: Double and triple extortion attacks
have become more prevalent and potentially more F. Ransomware Encryption methods
impactful and costly for affected companies The encryption methods used in these attacks have evolved
over time, with attackers adopting a mix of symmetric and
• Supply Chain Attacks: Supply chain attacks have asymmetric encryption techniques to increase the effectiveness
become an established part of the ransomware threat of their attacks. In this approach, the ransomware generates two
landscape, extending the impact of attacks beyond sets of keys, and a chain of encryption is used to increase the
single victims attack effectiveness.
D. Ransomware Payments In addition to these encryption methods, there has been a
In Q4 2023, the most common payment methods used in notable shift in the execution strategies of ransomware attacks.
ransomware attacks continued to be cryptocurrencies, with Increasingly, cybercriminals are focusing more on data theft,
Bitcoin being the most prevalent. Bitcoin accounted for followed by extortion campaigns that do not necessarily involve
approximately 98% of ransomware payments due to its data encryption.
perceived anonymity and ease of use. However, there were early
indications that more privacy-focused digital currencies, such as G. Ransomware Delivery methods
Monero, were growing in popularity as the payment method of In Q4 2023, the most common delivery methods used in
choice for cybercriminals. This shift was due to the increasing ransomware attacks were supply chain attacks, double extortion
ease of detecting the flow and sources of Bitcoin. techniques, and Ransomware-as-a-Service (RaaS) operations.
Despite the prevalence of ransom payments, the proportion Supply chain attacks became a solid technique for mature
of victims who paid ransoms was decreasing. Only 37% of and experienced ransomware groups. In these attacks, instead of
ransomware victims paid a ransom in Q4 2023, a record low. directly attacking a single victim, the attackers target third-party
This decrease was attributed to improved security measures and vendors to gain access to an organization's network.
backup continuity investments, which allowed more Double extortion was another prevalent method. In this
organizations to recover from attacks without paying ransoms. technique, attackers not only encrypt the victim's data but also
The average ransom payment in Q4 2023 was significantly threaten to leak stolen data if the ransom is not paid.
high, with the average payment being $408,643, a 58% increase

58
 Read more: Boosty | Sponsr | TG

Ransomware-as-a-Service (RaaS) operations also played a • Cyber Awareness Training: Training employees to
significant role. In RaaS, developers create ransomware recognize and avoid potential ransomware threats, such
software and sell access to this tool to criminals who then spread as phishing emails and malicious attachments, can
it among potential targets. The access is subscription-based, significantly reduce the risk of successful attacks
which is why it is called RaaS.
• Patch Management: Regularly updating and patching
Phishing with malicious attachments and exploiting software can eliminate known vulnerabilities that
vulnerabilities, such as zero-day vulnerabilities, were also used ransomware might exploit
as initial access methods to the target system
• Advanced Threat Prevention: Automated threat
H. Vulnerabilities exploited by ransomware detection and prevention systems can identify and
In Q4 2023, ransomware attackers continued to exploit a resolve most ransomware attacks before they cause
range of vulnerabilities to compromise organizations. One of the significant damage
most notable vulnerabilities exploited was a two-year-old
• Endpoint Security: Robust endpoint security solutions,
vulnerability for which a patch had been available for around the
including antivirus and anti-malware software, can
same time. This highlights the importance of timely patch
detect and block ransomware threats
management and version control within organizations.
Additionally, attackers used a flaw in MagicLine4NX • Network Segmentation: Dividing the network into
software, affecting versions before 1.0.026, to initiate their separate segments can prevent ransomware from
attacks. The MOVEit vulnerability was also significant, spreading across the entire system
accounting for a notable percentage of victims in previous • Zero Trust Security Model: Implementing a zero-trust
quarters, and it is likely that such vulnerabilities continued to be model, where access to resources is granted only after a
a target for ransomware groups. user has successfully verified their identity, can reduce
The year 2023 also saw a surge in the use of zero-day the attack surface against ransomware
exploits in ransomware attacks, which are vulnerabilities that are • Multi-factor Authentication (MFA): Implementing
unknown to the software vendor or have no patch available at MFA can add an additional layer of security, making it
the time of the attack. This trend of exploiting zero-day more difficult for attackers to gain access to systems
vulnerabilities underscores the adaptability of cyber threat actors
and the need for organizations to enhance their defenses against • Least Privilege Access: Ensuring that users have the
such evolving threats. minimum levels of access necessary to perform their
tasks can limit the potential damage of a ransomware
I. Effective ways to prevent ransomware attacks attack
• Robust Data Backup: Regularly backing up data is a
• Application Whitelisting: Allowing only approved
crucial step in mitigating the impact of a ransomware
applications to run on a system can prevent ransomware
attack. A secure, robust data backup solution can ensure
from executing
that even if data is encrypted by ransomware, the
organization can restore its systems without having to
pay the ransom

59
 Read more: Boosty | Sponsr | TG

XII. INFAMOUS CHISEL

MALWARE

60
 Read more: Boosty | Sponsr | TG

The components of Infamous Chisel include:

• netd: This component is used to perform automated
device information collection and exfiltration. It also
searches multiple directories for files matching a
predefined set of extensions which are then exfiltrated.
• killer: This component kills the malicious netd process.
• blob: This component is executed by netd and is
responsible for configuring and executing the Tor utility
td.
• td: This utility is Tor with no obvious modifications.
• tcpdump: This utility is tcpdump with no obvious
modifications.
• ndbr_armv7l and ndbr_i686: These utilities are multi-
call containing: dropbear, dropbearkey, ssh, scp, nmap,
dbclient, watchdog, rmflag, mkflag.
• db: This utility is multi-call containing: dropbear,
dropbearkey, ssh, scp, nmap, dbclient, watchdog,
rmflag, mkflag.
C. Network and other features
Abstract – This document presents an analysis of the "Infamous Infamous Chisel is designed to persist on the system by
Chisel" malware, a sophisticated cyber threat attributed to the replacing the legitimate netd system binary at the path
Sandworm group. The analysis delves into various aspects of the /system/bin/netd. When the malicious netd is executed, it will
malware, including its capabilities, components, and the check if init is the parent process which executed it. This parent
implications of its deployment against specific targets, notably process is responsible for creating the processes listed in the
Android devices. script init.rc. The malicious replacement netd when executed in
this way will fork and execute the legitimate process backed up
By dissecting the malware's components and tactics, the document at the path /system/bin/netd_ passing through the command line
sheds light on the sophisticated nature of cyber threats and their parameters. This retains the normal functionality of netd, while
potential to compromise sensitive information and disrupt allowing the malicious netd to execute as root.
operations. The findings underscore the critical need for vigilance
and proactive defense measures in the face of such advanced threats. The netd component of Infamous Chisel provides the bulk of
the custom functionality which the actor deploys. The main
For cybersecurity professionals and other specialists across various purpose of netd is to collate and exfiltrate information from the
sectors, this analysis serves as a valuable resource for understanding compromised device at set intervals. It uses a combination of
the mechanics and implications of advanced malware threats like shell scripts and commands to collect device information. It also
Infamous Chisel. The document's insights can inform the searches multiple directories to which files matching a
development of more effective defense strategies and technologies, predefined set of extensions are exfiltrated.
enhancing the security posture of organizations and protecting
against the ever-evolving landscape of cyber threats. Infamous Chisel has several other capabilities:

A. Introduction • Network Monitoring and Traffic Collection:

Infamous Chisel can monitor network activity and
The Chisel malware targets Android devices, enabling collect network traffic data. This allows it to gather
remote access and exfiltrating information from these devices. information about the network environment and
Sandworm has used this malware in a campaign targeting potentially capture sensitive data transmitted over the
Android devices used by the military sector. The malware is a network
collection of components that enable persistent access to an
infected Android device over the Tor network and periodically • SSH Access: Infamous Chisel can establish SSH
collates and exfiltrates victim information from compromised connections, which can be used for remote command
devices. The information exfiltrated includes system device execution and data transfer
information, commercial application information, and
applications specific to the military sector. • Network Scanning: The malware can scan the local
network, collating information about active hosts, open
B. Components of infamous chisel ports, and banners. This can help identify other potential
Infamous Chisel is a collection of components associated targets within the network
with Sandworm, designed to enable remote access and exfiltrate
information from Android phones.

61
 Read more: Boosty | Sponsr | TG

• SCP File Transfer: Infamous Chisel can use the Secure storage and inadequate permissions settings on the
Copy Protocol (SCP) for file transfers. This can be used device to access and collect sensitive information.
to exfiltrate data from the infected device or to transfer
malicious files onto the device • Command and Control (C2) and Exfiltration:
Infamous Chisel configures and executes Tor with a
• Information Exfiltration: Infamous Chisel performs hidden service, which forwards to a modified Dropbear
periodic scanning of files and network information for binary providing an SSH connection. This setup allows
exfiltration. System and application configuration files the malware to establish a covert communication
are exfiltrated from an infected device channel with the infected device, exploiting network
protocols and services to maintain control over the
• Device Information Collection: Infamous Chisel device and exfiltrate collected data.
collects various system device information, commercial
application information, and applications specific to the • Network Scanning and Lateral Movement: The
military sector malware contains functionality to scan the local
network, collating information about active hosts, open
• Automated Exfiltration: Infamous Chisel ports, and banners. This capability suggests that
automatically exfiltrates files at regular intervals Infamous Chisel exploits the network environment of
• Service Stop: Infamous Chisel can stop the legitimate the infected device to identify other potential targets
netd service within the network for lateral movement or further
exploitation
D. Exploited Vulnerabilities
E. Infiltration
The Infamous Chisel campaign exploits a variety of
vulnerabilities and techniques to enable unauthorized access and The Infamous Chisel campaign exfiltrates information from
control over targeted Android devices. the Infamous Chisel infected Android devices through a series of automated and
campaign exploits a combination of system vulnerabilities, manual processes. The malware, associated with the Sandworm
insecure configurations, and network protocols to achieve its threat actor, performs periodic scanning of files and network
objectives. These include gaining persistence and elevated information for exfiltration. It searches for files matching a
privileges, evading detection, accessing credentials, collecting predefined set of extensions and exfiltrates system and
sensitive information, establishing covert command and control application configuration files from the infected device.
channels, and potentially moving laterally within the network. The exfiltration process is detailed as follows:
The primary vulnerabilities and techniques exploited by • File Hashing and Avoiding Duplication: When a file
Infamous Chisel include (without specific CVE): is selected for exfiltration, it is hashed using MD5 and
• Persistence and Privilege Escalation: Infamous Chisel cross-referenced with a list of previously sent file
achieves persistence on the infected device by replacing hashes held in a file at one of three locations supporting
the legitimate netd system binary. This replacement different Android versions. This ensures that the same
allows the malicious netd to execute as root, thereby file isn't sent multiple times.
gaining elevated privileges. • File exfiltration from data directories: The malware
• Defense Evasion: The malware employs several searches specified directories for files with certain
defense evasion techniques. For instance, it checks that extensions and exfiltrates them.
it is executed by init and at the path for the legitimate • Exfiltration of configuration and configuration
netd, ensuring its malicious activities are less likely to backup files: The malware searches for .json or
be detected. Additionally, the blob component .json.bak files in specified directories and exfiltrates
decompresses executables from bzip archives, which them.
could be a method to evade detection by unpacking its
payload only after it has bypassed initial security checks. • File Exfiltration: The malware exfiltrates files using a
HTTP POST request. The server response is expected
• Credential Access: Infamous Chisel uses the tcpdump to be HTTP, and the exfiltration is considered complete
utility to sniff network interfaces and monitor network when the server sends 'Success' anywhere in its
traffic, potentially capturing credentials transmitted over response.
the network. It also scrapes multiple files containing
credentials and key information, exploiting the storage • Information Gathering and Exfiltration: Infamous
and handling of sensitive information on the device to Chisel collects various hardware configuration
gain unauthorized access to accounts and services. information about the device and writes this
information to files in the /data/local directory, which
• Discovery and Collection: The malware performs are then exfiltrated. This includes the Android ID,
extensive discovery and collection activities, such as networking information, a list of installed applications,
enumerating data directories to discover files of interest, and various device hardware information.
collecting GPS information, listing installed packages,
and gathering various system information. This • Local Area Network Scanning: The malware
indicates that Infamous Chisel exploits the lack of secure includes a built-in network scanner that performs IP

62
 Read more: Boosty | Sponsr | TG

scanning of the local network to discover other devices. The Infamous Chisel campaign primarily targeted Android
The results of this scan are exfiltrated immediately, devices used by the military sector. The malware, associated
providing the attackers with information that could with the Sandworm activity, was designed to enable remote
facilitate lateral movement within the network. access and exfiltrate information from these devices. The
campaign was identified and reported by multiple organizations
• Exfiltration Frequency: The malware is designed to including the UK National Cyber Security Centre (NCSC), the
automatically exfiltrate files at regular intervals, with US National Security Agency (NSA), US Cybersecurity and
specific intervals set for different types of data Infrastructure Security Agency (CISA), US Federal Bureau of
collection. For example, file and device information Investigation (FBI), New Zealand’s National Cyber Security
compilation takes place every 23 hours and 53 minutes, Centre (NCSC-NZ), the Canadian Centre for Cyber Security,
while sensitive military information is siphoned every and Australian Signals Directorate (ASD).
10 minutes.
G. Infecting ways
• Use of Tor and SSH for Secure Exfiltration:
Infamous Chisel uses Tor and SSH for command and Based on the capabilities and methods of operation described
control communications, providing an encrypted in the document, we can infer some potential infection vectors
channel that can be difficult to detect and intercept. that such a sophisticated malware campaign use:
This setup allows the malware to maintain a covert • Phishing Attacks: Attackers may use phishing
communication channel with the infected device, techniques to trick users into installing malicious
making detection and mitigation more challenging applications or clicking on links that lead to the
When a file is selected for exfiltration, it is MD5-hashed and download of the malware.
cross-referenced with a list of previously sent file hashes held in • Exploiting Vulnerabilities: The malware may exploit
a file at one of three locations supporting different Android known vulnerabilities in the Android operating system
versions. The first existing directory path will be used: or in installed applications to gain unauthorized access
/sdcard/Android/data/.google.index, and install itself.
/storage/emulated/0/Android/data/.google.index, or
/storage/emulated/1/Android/data/.google.index. • Social Engineering: Social engineering tactics could be
used to convince users to grant permissions or disable
The file exfiltration is considered complete when the server security features that would otherwise prevent the
sends "Success" anywhere in its response. This exfiltration uses malware from executing or gaining persistence.
a Hypertext Transfer Protocol (HTTP) POST, and this server
response is also expected to be HTTP, but this is not explicitly • Third-Party App Stores: Infamous Chisel could be
checked for. The 16 raw bytes of the MD5 are appended to the distributed through third-party app stores or websites
end of the .google.index file, ensuring that the same file isn't sent offering infected applications that appear legitimate.
multiple times. As the .google.index file contains raw bytes,
without prior knowledge, it would appear to contain random • Malvertising: Malicious advertisements could redirect
data. The initial allocation size is 256 Kb filled with NULLs users to websites that automatically download and
providing space for up to a maximum of 16,384 file hashes. All install the malware on their devices.
hash entries will be checked for every file prior to exfiltration. • Spear Phishing: Targeted spear-phishing campaigns
When the end of the .google.index file is reached, the position is could be used to infect devices of specific individuals or
reset to the start, overwriting the previous hashes. This means if organizations with the malware.
the number of files to exfiltrate from the device exceeds 16,384,
files will be sent multiple times • Supply Chain Attack: Compromising software supply
chains to inject malicious code into legitimate
The netd component of Infamous Chisel enters a main loop applications could be another method, although this is a
upon execution, where various timers trigger the execution of more sophisticated and less common approach.
different tasks, including file and device information
exfiltration. This process occurs every 86,000 seconds H. Proactive and Reactive measures
(approximately 23 hours, 53 minutes, and 20 seconds), during The approach to defending against such sophisticated
which the malware searches specified directories for files malware campaigns typically involves a combination of
matching a list of extensions and collects various hardware proactive and reactive cybersecurity practices. It is important for
configuration information about the device. The collected organizations to adopt a layered security approach that includes
information is written to files in the /data/local directory and both preventive and detective controls to protect against
then exfiltrated. sophisticated malware campaigns. Additionally, staying
F. Impact & Geo scope informed about the latest cyber threats and collaborating with
cybersecurity agencies and industry partners can enhance an
The impact of Infamous Chisel on Android devices is organization's ability to defend against such threats
significant. It leads to loss of sensitive information, privacy
breaches, and potential misuse of the device for further Proactive measures include:
malicious activities.
• Cybersecurity Awareness and Training: Educating
employees about the risks of malware and the

63
 Read more: Boosty | Sponsr | TG

importance of following security best practices, such as • Keep Software Updated: Regularly update the Android
not clicking on suspicious links or downloading operating system and all installed applications to ensure
unverified attachments. that known vulnerabilities are patched. Malware often
exploits security flaws in outdated software.
• Regular Software Updates: Ensuring that all
software, including operating systems and • Install Security Software: Use reputable antivirus and
applications, are kept up-to-date with the latest security anti-malware solutions designed for Android devices.
patches to mitigate known vulnerabilities. These can help detect and remove malicious software.
• Robust Anti-Virus and Anti-Malware Solutions: • Avoid Unknown Sources: Disable the installation of
Deploying comprehensive anti-virus and anti-malware apps from unknown sources in the device settings. Only
solutions that can detect and prevent the execution of download apps from trusted sources like the Google
malicious code on organizational devices. Play Store.
• Network Security: Implementing network security • Be Cautious with Links and Attachments: Do not
measures such as firewalls, intrusion detection systems click on links or download attachments from unknown
(IDS), and intrusion prevention systems (IPS) to or suspicious sources. Phishing is a common method
monitor and control incoming and outgoing network used to distribute malware.
traffic based on an applied rule set.
• Use a VPN: When connecting to public Wi-Fi networks,
• Access Controls: Enforcing strict access controls and use a Virtual Private Network (VPN) to encrypt your
using the principle of least privilege to ensure that users internet connection and protect against network sniffing.
have only the access necessary to perform their job
functions. • Enable Two-Factor Authentication (2FA): Use 2FA
for online accounts to add an extra layer of security,
• Incident Response Planning: Developing and making it harder for attackers to gain access even if they
maintaining an incident response plan to quickly and manage to steal credentials.
effectively respond to potential security incidents.
• Monitor Network Traffic: For organizations,
Reactive measures include: monitoring network traffic for unusual activity can help
detect the presence of malware like Infamous Chisel.
• Threat Intelligence Sharing: Participating in threat
Implement network segmentation to limit the spread of
intelligence sharing with other organizations and
malware.
cybersecurity agencies to stay informed about the latest
threats and mitigation strategies. • Educate Users: Raise awareness among users about the
risks of malware and the importance of following best
• Monitoring and Detection: Continuously monitoring
security practices.
systems for signs of compromise and having detection
mechanisms in place to alert on suspicious activities. • Backup Important Data: Regularly backup important
data stored on the device. In case of a malware infection,
• Forensic Analysis: Conducting forensic analysis in the
having backups can prevent data loss.
event of a security breach to understand the scope of
the compromise, eradicate the threat, and recover • Use Device Encryption: Enable device encryption to
affected systems. protect the data on your device. This makes it more
difficult for attackers to access your information if the
• Regular Security Audits: Performing regular security
device is compromised.
audits and vulnerability assessments to identify and
address security gaps in the organization's • Restrict App Permissions: Review and restrict the
infrastructure. permissions granted to applications. Limiting
permissions can reduce the amount of data an app can
• Backup and Recovery: Maintaining regular backups
access, thereby limiting what can be exfiltrated by
of critical data and having a disaster recovery plan to
malware.
restore operations in the event of a malware attack.
Android Device measures:

64
 Read more: Boosty | Sponsr | TG

XIII. CYBER TOUFAN

AL-AQSA
HACKING GROUP

65
 Read more: Boosty | Sponsr | TG

The identity of the attackers behind the Cyber Toufan Al-

Aqsa remains unconfirmed. However, some suggest a potential
link to Iran due to the style and capabilities demonstrated in the
attacks, which are common to Iranian-backed cyber groups.
As of late December 2023, the group declared a "ceasefire,"
stopping the release of data leaks. However, the group is still
causing damage to its victims and those connected to them.
B. Impact of attacks
The group has demonstrated high capabilities and a direct
style common to Iranian-backed cyber operations. They have
targeted a range of high-profile Israeli entities, causing
significant data breaches. Notable attacks include the one on
Signature-IT, where data files totaling approximately 16
gigabytes were stolen. This attack led to the daily disclosure of
new victims.
The operation compromised more than 150 targets spread
across government, manufacturing, e-commerce, cybersecurity,
and other sectors. The group claimed to have destroyed over
1,000 servers and breached 150 Israeli targets. The attacks have
not crippled the Israeli economy, but they have caused a lot of
damage, and some companies are still paying the price.
The group also engaged in psychological warfare against
Israel by justifying their cyberattacks as retaliation for what they
Abstract – This document presents an analysis of the Cyber Toufan
perceive as Israeli cruelty and crimes. They declared a ceasefire
Al-Aqsa hacking group, a newly emerged cyber threat that has
rapidly gained notoriety for its sophisticated cyberattacks primarily in November 2023, but expressed their intent to resume
targeting Israeli organizations. operations after the ceasefire, with a focus on targeting major
Israeli corporations.
The analysis delves into various aspects of the group's operations, C. Impact of attacks on israeli infrastructure
including its background and emergence, modus operandi, notable
attacks and breaches, alleged state sponsorship, and the implications The potential impact of attacks on Israeli infrastructure is
of its activities for cybersecurity professionals and other specialists multifaceted and significant. The ongoing conflict between
across different industries. It also aims to highlight its significant Israel and various entities, including Hamas and Iran-affiliated
impact on cybersecurity practices and the broader geopolitical groups, has led to an increase in cyberattacks targeting Israeli
landscape. infrastructure, businesses, and government entities.

The analysis serves as a valuable resource for cybersecurity These attacks have targeted a wide range of sectors,
professionals, IT specialists, and industry leaders, offering insights including government, e-commerce, water, energy, shipping,
into the challenges and opportunities presented by the evolving cyber distribution, and telecommunications. The attacks have involved
threat landscape. various methods, such as Distributed Denial of Service (DDoS)
attacks, defacement attacks, data breaches, and the exploitation
A. Introduction of default credentials in critical systems.
The Cyber Toufan Al-Aqsa is a hacking group that emerged The cyberattacks have also had a significant impact on the
in late 2023, claiming responsibility for a series of cyberattacks Israeli cybersecurity sector. The conflict has absorbed
against Israeli companies and organizations. manpower and focus from the cybersecurity sector, affecting the
The group has been involved in various types of operation of companies and potentially leading to a temporary
cyberattacks, including website defacement, unauthorized setback in cybersecurity innovation.
access to institutions, businesses, and private residences, However, despite the increase in cyberattacks, Israel seems
compromise of security cameras, and data breaches. One of the confident in its ability to deal with these threats. The country has
attacks was against Signature-IT, an Israeli company that a robust cybersecurity infrastructure and a rich startup
specializes in hosting international websites for businesses, and ecosystem that has produced many globally recognized
it was stolen approximately 16 gigabytes of data files. cybersecurity companies
The group has also targeted other significant entities such as D. Takeaways of attack Tactics
Radware, a cybersecurity firm, the Israel Innovation Authority,
The Cyber Toufan Al-Aqsa group has employed a variety of
and Ikea in Israel. The group's activities have not been limited to
tactics to carry out their cyberattacks. Here are some key
data breaches; they have also used the corporate email domains
methodologies they have used:
of their victims to spread hacktivist messages.

66
 Read more: Boosty | Sponsr | TG

• Website Defacement: this involves altering the leaks. This not only compromises the security and
appearance of a website, often to display a political privacy of the affected organizations but also potentially
message or to demonstrate that the site has been impacts individuals whose personal information may be
compromised included in the breached data
• Unauthorized Access: involves unauthorized access to • Disruption of Services: The attacks have led to the
various institutions, businesses, and private residences. disruption of services, affecting the normal functioning
This could involve exploiting vulnerabilities in of the targeted government entities
software, using phishing techniques to steal login
credentials, or other methods of bypassing security • Damage to Reputation: The public nature of these
measures attacks and the subsequent data leaks can damage the
reputation of the targeted entities, eroding public trust
• Compromise of Security Cameras: this involves and confidence
compromising security cameras, potentially allowing to
monitor the activities of their targets • Potential for Follow-on Attacks: The initial breaches
can potentially be used to conduct follow-on attacks,
• Data Breaches: the group has been adept at extracting exploiting the compromised systems to further infiltrate
large volumes of data from their targets, which they then the target's network or to attack other linked systems
release publicly. This not only harms the targeted
organizations but also potentially impacts individuals • Psychological Impact: The attacks serve as a form of
whose personal information may be included in the digital psychological warfare, creating a climate of fear
breached data and uncertainty

• Use of Social Media Platforms: the group has been • Economic Impact: The attacks can have economic
observed to be active on social media platforms like consequences, including the costs associated with
Twitter and Telegram, where they disseminate incident response, system recovery, and potential
information about their activities and potentially regulatory fines or lawsuits related to the data breaches
coordinate attacks • National Security Concerns: Given the sensitive
• Wiper Malware: The group has used wiper malware in nature of government entities, attacks can potentially
their attacks, which is designed to delete data or disrupt pose national security concerns, depending on the nature
systems of the breached data and the affected systems

• Psychological Warfare: In addition to their technical 2) Manufacturing

tactics, Cyber Toufan has also engaged in psychological The consequences of attacks on the manufacturing sector:
warfare. They have released publications justifying their • Operational Disruption: Cyberattacks, particularly
cyberattacks on Israel, citing retaliation for what they ransomware, can halt production lines, leading to
perceive as Israeli cruelty and crimes significant operational disruptions. This can force
• Follow-on Attacks: After initial breaches, the group has manufacturers to take their physical systems offline,
been known to conduct follow-on attacks, potentially sometimes for extended periods, to mitigate the attack
exploiting the compromised systems to further infiltrate and restore normal operations
the target's network or to attack other linked systems • Financial Losses: The financial impact of cyberattacks
E. Targets and Consequences on manufacturers is substantial. The average cost of a
data breach in the manufacturing sector was reported to
The targets of Cyber Toufan's attacks have been quite be $4.47 million in 2022, an increase from the previous
diverse, including: year. These costs include investigating, remediating,
• Government Entities: The group has compromised and responding to cyberattacks, as well as potential
targets spread across the Israeli government sector losses from halted production and sales

• Manufacturing: Manufacturing firms have been among • Data Breaches and Intellectual Property Theft:
the affected sectors Cyberattacks can lead to the theft of sensitive data,
including intellectual property, trade secrets, and
• E-commerce: Online commerce platforms and customer information. This not only has immediate
businesses have been targeted, which could include financial implications but can also result in long-term
customer data and business transaction information competitive disadvantages
• Cybersecurity Firms: Notably, the group has attacked • Supply Chain Vulnerabilities: The interconnected
cybersecurity companies, such as Radware, which nature of the manufacturing supply chain means that an
indicates a focus on entities that are integral to Israel's attack on one manufacturer can have ripple effects,
cyber defense impacting suppliers, partners, and customers. Supply
chain attacks can compromise the integrity of products
1) Government Entities and services, leading to broader security concerns
The consequences of attacks on government entities:
• Reputational Damage: Public disclosure of a attack
• Data Breaches: The group has successfully breached can erode trust in a manufacturer, affecting customer
several government entities, leading to substantial data relationships and potentially leading to loss of business.

67
 Read more: Boosty | Sponsr | TG
The damage to a company's reputation can be one of the business's bottom line and may be passed on to
most challenging consequences to recover from consumers in the form of higher prices
• Compliance and Legal Risks: Manufacturers may face • Supply Chain Vulnerabilities: E-commerce
regulatory fines and legal action if cyberattacks result in businesses are part of a larger digital and physical supply
the loss of protected or sensitive data. This is especially chain. Attacks on one e-comm platform can have ripple
true for manufacturers in highly regulated industries or effects, impacting suppliers, partners, and customers.
those handling personal data This interconnectedness can amplify the consequences
of an attack, affecting a broader ecosystem
• Physical Damage and Safety Risks: In cases where
operational technology (OT) systems are targeted, 4) Cybersecurity Firms
cyberattacks can cause physical damage to equipment The consequences of attacks on cybersecurity firms:
and pose safety risks to employees. Manipulating • Operational Disruption: Cybersecurity firms, like any
industrial processes can lead to equipment failure, other business, can face operational disruptions as a
environmental harm, and even endanger human lives result of cyberattacks. This can affect their ability to
serve clients and carry out daily operations, potentially
• Psychological Warfare: Beyond the tangible impacts, leading to a temporary reduction in the security services
cyberattacks can also serve as a form of psychological they provide
warfare, creating a climate of fear and uncertainty
among employees, management, and stakeholders • Financial Losses: The financial impact on
cybersecurity firms can be substantial, encompassing
3) E-commerce the costs of investigating, remediating, and responding
The consequences of attacks on the e-commerce sector: to the attacks. Additionally, there may be financial
losses due to operational downtime and potential
• Operational Disruption: Cyberattacks can severely compensation claims from affected clients
disrupt the operations of e-commerce businesses,
affecting their ability to process transactions and serve • Data Breaches and Intellectual Property Theft:
customers. This disruption can lead to downtime, which Cybersecurity firms often hold sensitive data, including
directly impacts sales and service delivery proprietary security tools and techniques, as well as
client information. A breach can lead to the loss of
• Financial Losses: The financial impact of cyberattacks intellectual property and sensitive client data,
on e-commerce businesses can be substantial. This undermining the firm's competitive position and client
includes direct costs related to investigating, trust
remediating, and responding to the attacks, as well as
indirect costs such as lost sales during downtime. The • Damage to Reputation: Perhaps more so than in other
average cost of a data breach in 2022 reached $4.35 industries, a cyberattack on a cybersecurity firm can
million, highlighting the significant financial burden significantly damage its reputation. Clients expect these
these incidents can impose firms to be the most secure, and a breach can lead to a
loss of trust, making it difficult to retain and attract
• Data Breaches and Loss of Sensitive Information: E- clients
commerce platforms often store large amounts of
personal and financial data. Cyberattacks can lead to • Regulatory and Compliance Risks: Cybersecurity
data breaches, exposing sensitive customer information firms are subject to stringent regulatory requirements. A
such as credit card details, addresses, and personal cyberattack resulting in data breaches can lead to non-
identification information. This not only violates compliance issues, attracting fines, and legal action
customer privacy but also exposes the business to
regulatory penalties and lawsuits • Increased Cybersecurity Costs: Following an attack, a
cybersecurity firm will likely need to invest heavily in
• Damage to Reputation and Customer Trust: The bolstering its defenses. This could include adopting new
public disclosure of a cyberattack can significantly technologies, hiring additional personnel, and
damage an e-commerce business's reputation, leading to implementing more stringent security measures, all of
a loss of customer trust. Rebuilding this trust can be a which can be costly
long and challenging process, and some businesses may
never fully recover • Supply Chain Vulnerabilities: Cybersecurity firms are
part of a larger digital ecosystem. An attack on one firm
• Regulatory and Compliance Risks: E-commerce can have ripple effects, potentially compromising the
businesses are subject to various regulations and security of clients and partners
compliance standards related to data protection and
privacy. Cyberattacks that result in data breaches can • Psychological Impact and Loss of Morale:
lead to non-compliance, attracting significant fines and Cyberattacks can create a climate of fear and uncertainty
penalties among employees and management. For a cybersecurity
firm, being the victim of an attack can also lead to a loss
• Increased Cybersecurity Costs: Following a of morale, as it directly challenges the core mission of
cyberattack, e-commerce businesses often need to invest the organization
heavily in improving their cybersecurity posture. This
includes adopting new technologies, hiring additional
security personnel, and implementing more stringent
security measures. These increased costs can impact the

68
 Read more: Boosty | Sponsr | TG

XIV. MALLOX

69
 Read more: Boosty | Sponsr | TG

a note in every directory on the victim's drive, providing

instructions for payment
Avast has released free decryptors for TargetCompany
ransomware, which can decrypt files under certain
circumstances. It is important to note that paying the ransom
does not guarantee that the attackers will provide the decryption
key, and it may encourage further criminal activity
C. Ransomware-as-a-Service (RaaS)
Mallox operates under a RaaS model, leveraging
underground forums to advertise its services. The group
maintains a TOR-based leak site where it posts announcements
about recently compromised data
1) Mallox Spreading
TargetCompany ransomware, also known as Mallox
ransomware, spreads through various methods. The ransomware
primarily targets companies rather than individual users.
One of the initial access techniques used by TargetCompany
is phishing, where it uses malicious Microsoft OneNote files to
gain access to the victim's system. Another method is through
brute-force attacks on Microsoft SQL (MS SQL) Servers. The
ransomware group is known for exploiting inadequately secured
Abstract – This document provides a analysis of the Target Company MS-SQL servers, using dictionary attacks as an entry point to
ransomware group, also known as Smallpox, which has been rapidly infiltrate victims' networks.
evolving since its first identification in June 2021. Once inside the system, the ransomware employs a
PowerShell command to fetch the ransomware payload from a
The analysis delves into various aspects of the group's operations,
remote server. The payload attempts to halt and eliminate SQL-
including its distinctive practice of appending targeted
organizations' names to encrypted files, the evolution of its
related services, erase volume shadow copies, clear system event
encryption algorithms, and its tactics for establishing persistence and logs, and end security-related processes. After these steps, it
evading defenses. initiates the encryption process and subsequently leaves a
ransom note in each directory.
The insights gained from this analysis are crucial for informing The ransomware also collects system information and
defense strategies and enhancing preparedness against such
transfers it to the command-and-control (C2) server. The stolen
evolving cyber threats.
data is then held hostage, with threats of publication on leak sites
to coax victims into paying the ransom.
A. Malware and Evasion Tactics
The TargetCompany ransomware group, aka Mallox, is The ransomware encrypts the victim's files using the
known for its targeted ransomware attacks, primarily focusing ChaCha20 encryption algorithm and generates the encryption
on unsecured internet-facing Microsoft SQL servers. The key using ECDH, an example of elliptic curve cryptography, and
ransomware encrypts victims' data and demands a ransom, AES-128. The encrypted files are appended with extensions that
typically in cryptocurrency, for the decryption key are the affected company's name.
The group has added tools like the Remcos RAT, BatCloak, 2) Symptoms of a TargetCompany Ransomware Attack
and Metasploit to their arsenal, showcasing advanced The symptoms of a TargetCompany ransomware attack can
obfuscation methods to avoid detection. They use fully vary depending on the specific variant of the ransomware and
undetectable (FUD) obfuscator packers to scramble their the tactics. However, some common symptoms include:
ransomware, making it harder for security software to detect and
• Inability to access files: The most immediate and
block the malware. They collect sensitive data using tools like
noticeable symptom of a ransomware attack is the
MIMIKATZ, and executing attacks with
inability to open or access files stored on your computer.
Trojan.BAT.TARGETCOMP*. They also employ defense
The files are encrypted by the ransomware, and their
evasion methods such as GMER, advanced Process
extensions are changed to the affected company's name,
Termination, and YDArk
such as ".artiis", ".brg", ".mallox", ".architek",
B. Mitigation and Decryption ".tohnichi", ".herrco", and others
Mallox ransomware appends a unique encrypted file • Increased CPU and disk activity: Increased disk or
extension to the names of the targeted organization's files. It has main processor activity may indicate that ransomware is
been observed to avoid encrypting certain folders and file types working in the background
to keep the infected system operational. The ransomware drops

70
 Read more: Boosty | Sponsr | TG

• Ransom note: After the encryption process, the • Compromised Credentials: Attackers often gain
ransomware leaves a ransom note titled "How to decrypt access to a network by using stolen or compromised
files.txt" or “RECOVERY FILES.txt” in each directory. credentials. This can occur when employees fall victim
This note typically contains instructions for how to pay to phishing attacks or when credentials are purchased on
the ransom in order to receive the decryption key the dark web
• Network anomalies: The ransomware uses network • Unmanaged Devices or Bring Your Own Device
scanning to collect network connection information, (BYOD): Unmanaged devices or personal devices used
which can lead to unusual network activity for work purposes can be an entry point for ransomware
if they are not properly secured
• Termination of specific processes and services: The
ransomware attempts to halt and eliminate SQL-related • Internet-facing Applications with Vulnerabilities:
services, erase volume shadow copies, clear system Vulnerabilities in applications that are exposed to the
event logs, and end security-related processes internet can be exploited by attackers to gain access to a
network. This includes applications like SSL VPNs,
3) Methodology Microsoft Exchange Servers, and Telerik UI-based web
• Initial Access: The group often gains initial access to interfaces
victim systems through phishing campaigns that involve
malicious OneNote files. They also exploit weak SQL • Phishing: Phishing attacks often target end users,
servers for initial stage deployment tricking them into revealing sensitive information or
downloading malicious software. Employees play a
• Execution: The ransomware payload is executed using vital role in defending against this threat, making it
various methods. For instance, the group injects the imperative for organizations to invest in educating their
ransomware executable into AppLaunch.exe. They also workforce on recognizing and avoiding phishing
use command lines and PowerShell to download the attempts
ransomware payload from a remote server
• Infected Software Packages or Patches:
• Persistence: The group aims for persistence via diverse Compromised patches or software packages can become
methods, including altering URLs or paths until the entry points for ransomware criminals. This tactic
execution of the Remcos RAT (Remote Access Trojan) capitalizes on the fact that users often quickly download
succeeds and install updates to keep their systems secure,
• Defense Evasion: The group uses Fully Undetectable inadvertently allowing ransomware to infiltrate
(FUD) obfuscator packers to evade detection by security • Brute Force Attacks on External Gateways:
solutions. They also delete registry keys and shadow Cybercriminals are increasingly using techniques like
copies to damage recovery services brute force attacks to gain access to systems. This
• Privilege Escalation: The ransomware assigns the involves systematically attempting all possible
SeTakeOwnershipPrivilege and SeDebugPrivilege for combinations of passwords until the correct one is found
its process to ease its own malicious work • Remote Desktop Protocol (RDP) and Credential
• Discovery: group uses network scanning for discovery Abuse: Attackers often exploit vulnerabilities in remote
services like RDP or VPN servers. They may resort to
• Collection: The group uses tools like MIMIKATZ for phishing activities to get hold of the credentials or
data collection employ the credential dumps available on dark web
forums
• Command and Control (C&C): The group establishes
a connection to a C&C server with a “/ap.php” endpoint • Email: Email is a common entry point for ransomware
attacks. Attackers often attach malicious files to emails.
• Encryption: The ransomware gets the mask of all When unsuspecting victims open these documents,
logical drives in the system using the macros will execute, running the ransomware payload
GetLogicalDrives() Win32 API. Each drive is checked
for the drive type by GetDriveType(). If that drive is The Mallox uses various entry points to infiltrate systems:
valid (fixed, removable, or network), the encryption of
the drive proceeds • Remcos Backdoor: The group uses the Remcos
backdoor as an initial access point. Remcos is a Remote
• Impact: After encryption, the ransomware leaves a Access Trojan (RAT) that allows attackers to control the
ransom note. The group uses the double extortion infected system remotely
method, threatening to leak stolen data if the ransom is
not paid • Unsecured Microsoft SQL Servers: The group targets
unsecured Microsoft SQL Servers, using them as entry
4) Entry points & Delivery methods points into victims' ICT infrastructures
Ransomware attacks can infiltrate a system through various
entry points: • BatLoader: The group leverages BatLoader to execute
ransomware payloads. BatLoader is a malicious

71
 Read more: Boosty | Sponsr | TG

software that downloads and installs additional malware • Phishing and Credential Theft: Targeting high-value
onto the infected system accounts like those of CEOs and CFOs
• Network Scan: The group uses network scanning as a Government
discovery method to identify potential targets within the
network • Phishing and Social Engineering: Using deceptive
emails to trick government employees
• Trojan.BAT.TARGETCOMP: This is a malicious
program used by the group for execution. It is designed • Ransomware-as-a-Service (RaaS): Utilizing RaaS
to compromise the security of the infected system models to target government entities

• GMER: The group uses GMER, a rootkit detector and Education

remover, for defense evasion. This allows the group to • Phishing and Social Engineering: Using deceptive
hide their activities and maintain persistence on the emails to trick educational staff and students
infected system
• Compromised Credentials: Utilizing stolen credentials
a) Entry points in industries to access educational networks
Manufacturing
Information Technology
• Industrial Control Systems (ICS) and Industrial
Internet of Things (IIoT) Devices: Vulnerabilities in • Software Vulnerability Exploits: Exploiting known
these systems are exploited to disrupt manufacturing vulnerabilities in IT infrastructure
operations • Account Takeover: Gaining access to IT systems
• Supply Chain Attacks: Compromising the supply chain, through compromised accounts
including third-party vendors, can provide an entry point Transportation
for ransomware
• Phishing and Social Engineering: Targeting
Retail employees with phishing emails to gain access to the
• Point of Sale (POS) Systems: Malware can infect these network
systems to steal credit/debit card information • Compromised Credentials: Utilizing stolen credentials
• Microsoft SQL Servers: Targeting unsecured MS-SQL to access transportation networks
servers used in retail operations Utilities
Telecommunications • Industrial Control Systems (ICS): Targeting
• Remote Code Execution (RCE) Vulnerabilities: vulnerabilities in ICS that are crucial for utility
Exploiting vulnerabilities like CVE-2019-1069 and operations
CVE-2020-0618 to execute arbitrary code • Phishing and Social Engineering: Using deceptive
emails to trick utility staff into installing ransomware
• Microsoft SQL Servers: Leveraging the xp_cmdshell
feature in Microsoft SQL for remote execution D. Geographic Focus and Industry Targets
Business Services Mallox, has targeted a range of company sizes, with a
significant focus on small to medium-sized businesses. 37% of
• Outdated and Unpatched Systems: Relying on companies hit by ransomware had fewer than 100 employees,
outdated systems makes it easier for criminals to gain and 82% of ransomware attacks in 2021 were against companies
access with fewer than 1,000 employees. While the proportion of large
• Functional IT Dependency: The inability to operate organizations was higher in H1 2022, the proportion of small
without IT incentivizes quick ransom payments and midsize organizations was higher in H1 2023, indicating a
trend toward more small and midsize business targets. However,
Healthcare ransomware groups, including TargetCompany, are targeting
large enterprises at a rate of nearly 25%. The median target
• Phishing and Social Engineering: Using deceptive
company size of a ransomware attack was 275 employees, up
emails to trick healthcare staff into installing ransomware
10% from the previous quarter
• Compromised Credentials: Utilizing stolen credentials The group has primarily targeted enterprises in the Asia-
to access healthcare networks Pacific region, followed by Europe and the Middle East (United
Finance States, India, Saudi Arabia, Canada, Germany, Australia, Brazil,
Bulgaria, China, Vietnam). They have launched attacks on
• Server Access Attacks and Misconfigurations: organizations in various sectors, including retail, wholesale, and
Exploiting server vulnerabilities and configuration legal services (Manufacturing, Retail, Telecommunications,
errors Automobile, Business Services, Healthcare, Finance,

72
 Read more: Boosty | Sponsr | TG

Government, Education, Information Technology, business altogether. In some cases, ransomware attacks have led
Transportation, Utilities). to companies asking to be put in receivership, threatening jobs.
1) Manufacturing Increased Frequency of Attacks
In the manufacturing industry, ransomware attacks often In 2023, the manufacturing sector was the hardest hit,
exploit vulnerabilities in Industrial Control Systems (ICS) and signaling significant vulnerabilities in this sector. The number of
Industrial Internet of Things (IIoT) devices. These systems are attacks against manufacturing plants also jumped about 107%
integral to manufacturing operations, and their compromise can compared with the previous year
lead to significant disruption.
2) Retail
These attacks extend beyond immediate financial losses,
leading to significant breach response costs, possible exposure In the retail industry, one of the common entry points for
to third parties, diminution of market share, and damage to ransomware attacks is through Point of Sale (POS) systems.
corporate reputation. In some cases, attackers may also demand Attackers often use malware to infect these systems and steal
a ransom in exchange for allowing the business to regain access credit/debit card information. Additionally, ransomware groups
to its computer systems. Moreover, ransomware attacks can lead have been observed targeting and attacking Microsoft SQL (MS-
to the loss of sensitive and personal information, which can have SQL) servers, which are often used in retail operations
long-term implications for the affected companies and their Ransomware attacks can cripple a retail business, leading to
customers direct financial losses, operational halts, long-term reputational
Operational Disruption damage, and legal consequences. The retail sector's reliance on
digital systems and the handling of sensitive customer data make
Ransomware attacks disrupt manufacturing operations it a lucrative target for cybercriminals.
significantly, often leading to substantial losses in production
and disjointed operations. When ransomware disrupts Operational Disruption
production, operations can be halted for days or weeks, resulting • Sales Loss: A ransomware attack can lead to thousands
in staggering financial losses. In some cases, ransomware of lost sales opportunities, especially during peak
attacks have led to production lines being brought to a standstill, seasons like Black Friday or Christmas
meaning that customer orders cannot be fulfilled.
• Business Continuity: ransomware attacks can disrupt
Financial Impact critical business operations, preventing or limiting
The financial impact of ransomware attacks on the access to systems and prevent goods selling
manufacturing sector is enormous. Between 2018 and 2023, 478 • Downtime: Even a few hours of web shop downtime
manufacturing companies suffered a ransomware attack, leading can have a huge financial impact, and customers may
to a loss of approximately $46.2 billion in downtime alone. The turn to other platforms to get their products
cost of downtime is significant, with day-to-day operations
impacted and production lines sometimes brought to a standstill. Financial Impact
Reputational Damage • Revenue Loss: Retail organizations report significant
loss of revenue following ransomware attacks
Ransomware attacks can also cause significant reputational
damage. The fallout from a ransomware attack can be long- • Ransom Payments: Retailers may feel compelled to
lasting and can sometimes lead to a business never recovering pay ransoms, especially during high sales periods, and
from the reputational fallout. the proportion of retail organizations paying higher
ransoms has increased
Data Breach and Privacy Concerns
• Recovery Costs: Victim retailers that pay ransoms end
Data breaches are a common consequence of ransomware
up with median recovery costs four times higher than
attacks. In 32% of attacks, attackers stole the data in addition to
those that don't
encrypting it. More than 7.5 million individual records were
breached as a result of these attacks. Reputational Damage
Legal and Regulatory Consequences • Customer Trust: Ransomware attacks can shatter
Legal and regulatory consequences can arise from customer trust if personal information is compromised
ransomware attacks, particularly when they result in data • Brand Damage: The perception of an "unsafe" business
breaches. Companies may face penalties for failing to can be more damaging than the immediate financial loss,
adequately protect customer data, and they may also face affecting the retailer's reputation
lawsuits from customers or business partners affected by the
breach. • Public Perception: Successful attacks may be seen as
an indication of weak security practices, leading
Long-Term Effects customers to conduct business elsewhere
The long-term effects of ransomware attacks can include Data Breach
unplanned workforce reductions and even closure of the

73
 Read more: Boosty | Sponsr | TG

• Sensitive Information: Retailers process credit card • Customer Trust: A successful attack can damage the
data and personal information, which is at risk of being reputation of a telecom company, leading customers to
exposed as a result of a ransomware attack conduct business elsewhere due to perceived weak
security practices
• Data Leakages: Ransomware attacks pose significant
risks of data leakages, which can lead to loss of • Brand Damage: The perception of an "unsafe" business
consumer confidence can be more damaging than the immediate financial loss
Employee Impact Data Breach and Privacy Concerns
• Layoffs: Nearly half of Retailers experienced employee • Sensitive Data Exposure: Telecom companies house
layoffs after falling victim to ransomware extensive customer data, and ransomware attacks can
lead to breaches of sensitive data
• Suspension of Business: A third of Retailers had to
temporarily suspend or halt their business operations • Double Extortion: Attackers may threaten to release the
organization’s sensitive data if the ransom is not paid,
Supply Chain and Third-Party Risks leading to double-extortion attacks
• Supply Chain Attacks: Attackers can infect many Legal and Regulatory Consequences
organizations by targeting vendors, leading to supply
chain disruptions Companies may face legal consequences if customer data is
compromised, including fines and penalties for non-compliance
• Third-Party Dependencies: Retailers rely on extended with data protection regulations
supply chains and third-party dependencies, which can
introduce cybersecurity risks Supply Chain and Third-Party Risks
Legal and Regulatory Consequences • Supply Chain Attacks: Attackers can infect many
organizations by targeting vendors, leading to supply
Retailers may face legal consequences if customer data is chain disruptions
compromised, including fines and penalties for non-compliance
with data protection regulations. • Third-Party Dependencies: Telecom companies rely
on extended supply chains and third-party dependencies,
3) Telecommunications which can introduce cybersecurity risks
In the telecommunications industry, ransomware attacks
often exploit remote code execution (RCE) vulnerabilities, such Intellectual Property Theft
as CVE-2019-1069 and CVE-2020-0618, which allow attackers The valuable intellectual property of telecom companies is
to execute arbitrary code. The attackers may also leverage at risk of being stolen or compromised, potentially harming
remote execution via the xp_cmdshell feature in Microsoft SQL competitive advantages and innovative efforts
Ransomware attacks can cripple a telecom business, leading Long-Term Espionage
to direct financial losses, operational halts, long-term
reputational damage, and legal consequences. Some attacks on telecom providers are conducted by highly
sophisticated threat groups aiming for long-term espionage
Operational Disruption
4) Automobile & Transportation
• Service Interruption: Ransomware attacks can disrupt
Ransomware attacks can cripple an business, leading to
telecommunications services, affecting both individual
direct financial losses, operational halts, long-term reputational
and business communications
damage, and legal consequences. These sectors’ reliance on
• Network Infiltration: The interconnected nature of digital systems and the handling of sensitive customer data make
telecom networks increases the risk of infiltration, it a lucrative target for cybercriminals. It is essential for
potentially providing access to information across automotive companies to implement robust cybersecurity
various connected systems measures, maintain regular backups, and have an incident
response plan to mitigate the risks associated with ransomware
Financial Impact attacks
• Revenue Loss: A ransomware attack can severely affect Operational Disruption
the operating capability of an organization, leading to a
decline in revenue or a complete halt of operations while • Production Halts: Ransomware attacks can lead to the
recovering shutdown of manufacturing plants, causing delays in
production and delivery
• Ransom Payments and Recovery Costs: Companies
may face significant costs related to ransom payments, • Supply Chain Vulnerability: The supply chain is
recovery efforts, legal fees, and other related expenses complex and interconnected, making it vulnerable to
attacks that can have cascading effects
Reputational Damage
Financial Impact

74
 Read more: Boosty | Sponsr | TG

• Ransom Payments: The automotive industry has seen • Recovery Costs: Beyond the ransom payment,
some of the highest ransom payments, with industrial businesses face substantial costs in remediation efforts,
companies spending $6.9 million in 2019, which was including IT services, legal fees, and potential
62% of all ransomware payoffs regulatory fines
• Revenue Loss: Attacks can severely affect the operating • Revenue Loss: The inability to operate during and after
capability of organizations, leading to a decline in an attack can lead to a significant decline in revenue
revenue or a complete halt of operations while Reputational Damage
recovering
• Customer Trust: A ransomware attack can severely
Reputational Damage damage a company's reputation, leading customers to
• Customer Trust: Successful attacks can damage the lose trust and potentially take their business elsewhere
reputation of automotive companies, leading customers • Brand Damage: The perception of inadequate security
to conduct business elsewhere due to perceived weak measures can tarnish a brand's image, affecting long-
security practices term business prospects
• Brand Damage: The perception of an "unsafe" business Data Breach and Privacy Concerns
can be more damaging than the immediate financial loss
• Sensitive Data Exposure: Business services firms often
Data Breach and Privacy Concerns handle sensitive client data. A ransomware attack can
• Sensitive Data Exposure: Automotive companies lead to data breaches, exposing confidential information
house extensive customer data, and ransomware attacks • Double Extortion: Attackers may not only encrypt data
can lead to breaches of sensitive data but also threaten to release it publicly if the ransom is
• Double Extortion: Attackers may threaten to release not paid, compounding the impact
the organization’s sensitive data if the ransom is not Legal and Regulatory Consequences
paid, leading to double-extortion attacks
If customer data is compromised, businesses may face legal
Legal and Regulatory Consequences consequences and fines for non-compliance with data protection
Companies may face legal consequences if customer data is regulations
compromised, including fines and penalties for non-compliance Supply Chain and Third-Party Risks
with data protection regulations
Ransomware attacks can extend beyond the directly affected
Intellectual Property Theft business, impacting clients, partners, and suppliers
The valuable intellectual property of companies is at risk of Intellectual Property Theft
being stolen or compromised, potentially harming competitive
advantages and innovative efforts For firms that rely on proprietary methods or data,
ransomware attacks pose a risk of intellectual property theft
Long-Term Espionage
Long-Term Espionage
Some attacks on automotive providers are conducted by
highly sophisticated threat groups aiming for long-term Some attacks may be part of long-term espionage efforts,
espionage aiming to gather strategic information over time

5) Business Services 6) Healthcare

Ransomware attacks can cripple a business in the services Ransomware attacks can cripple healthcare organizations,
industry, leading to direct financial losses, operational halts, leading to direct financial losses, operational halts, long-term
long-term reputational damage, and legal consequences. reputational damage, and legal consequences.
Operational Disruption Operational Disruption
• Downtime: Ransomware attacks can bring operations to • Service Interruption: Ransomware attacks can disrupt
a halt, causing significant downtime and disrupting healthcare operations by encrypting or rendering
business activities medical records and systems inaccessible, leading to
delays in patient care and potentially causing patient
• Loss of Business: If critical files are encrypted, deaths
businesses may be unable to operate, leading to lost
opportunities and revenue • Increased Patient Mortality: Research indicates that
ransomware attacks increase in-hospital mortality for
Financial Impact patients admitted during an attack, with a significant rise
in the risk of dying
• Ransom Payments: Businesses may feel compelled to
pay the ransom to quickly regain access to their data, Financial Impact
especially if backups are not available or are also
compromised • Revenue Loss and Remediation Costs: Healthcare
organizations may face financial losses tied to revenue

75
 Read more: Boosty | Sponsr | TG
loss, ransom payments, remediation costs, as well as • Revenue Loss and Remediation Costs: Financial
brand damage and legal fees. The average cost of a organizations may face financial losses tied to revenue
healthcare ransomware attack was $4.82 million in 2021 loss, ransom payments, remediation costs, as well as
brand damage and legal fees. The average cost of a
• Downtime-Related Losses: Ransomware attacks on financial ransomware attack was $5.9 million per cyber
healthcare have resulted in downtime-related losses of incident in 2023
more than $77 billion for the U.S. economy
• Downtime-Related Losses: Ransomware attacks on
Reputational Damage financial services have resulted in substantial financial
Successful ransomware attacks can severely damage the losses, including the costs associated with the severity
reputation of healthcare providers, leading to a loss of patient of the attack and the extent of the data exposure
trust and potentially driving patients to seek care elsewhere Reputational Damage
Data Breach and Privacy Concerns • Loss of Trust: Successful ransomware attacks can
• Sensitive Data Exposure: Healthcare organizations severely damage the reputation of financial institutions,
house extensive patient data. Ransomware attacks can leading customers to lose trust and potentially take their
lead to breaches of sensitive data, including personal business elsewhere
health information (PHI), exposing millions of patients • Brand Damage: The perception of inadequate security
to privacy risks measures can tarnish a brand's image, affecting long-
• Double Extortion: Attackers may threaten to release term business prospects
sensitive data if the ransom is not paid, compounding the Data Breach and Privacy Concerns
impact of the attack
• Sensitive Data Exposure: Financial institutions house
Legal and Regulatory Consequences extensive customer data. Ransomware attacks can lead
If patient data is compromised, healthcare organizations may to breaches of sensitive data, exposing millions of
face legal consequences and fines for non-compliance with data customers to privacy risks
protection regulations • Double Extortion: Attackers may threaten to release
Supply Chain and Third-Party Risks sensitive data if the ransom is not paid, compounding the
impact of the attack
Ransomware attacks can extend beyond the directly affected
healthcare provider, impacting clients, partners, and suppliers Legal and Regulatory Consequences

Intellectual Property Theft If customer data is compromised, financial institutions may

face legal consequences and fines for non-compliance with data
Ransomware attacks pose a risk of intellectual property theft, protection regulations
potentially harming competitive advantages and innovative
efforts Supply Chain and Third-Party Risks

Long-Term Espionage Ransomware attacks can extend beyond the directly affected
financial institution, impacting clients, partners, and suppliers
Some attacks on healthcare providers are conducted by
highly sophisticated threat groups aiming for long-term Intellectual Property Theft
espionage Ransomware attacks pose a risk of intellectual property theft,
potentially harming competitive advantages and innovative
7) Finance
efforts
Ransomware attacks can cripple financial institutions,
leading to direct financial losses, operational halts, long-term Long-Term Espionage
reputational damage, and legal consequences.
Some attacks on financial institutions are conducted by
Operational Disruption highly sophisticated threat groups aiming for long-term
espionage
• Service Interruption: Ransomware attacks can disrupt
financial operations by encrypting or rendering financial 8) Government
records and systems inaccessible, leading to delays in Ransomware attacks on government entities can cripple vital
financial transactions and potentially causing significant operations, lead to significant financial losses, damage public
operational disruptions trust, and have long-lasting effects on the community.
• Network Infiltration: The interconnected nature of Operational Disruption
financial networks increases the risk of infiltration,
potentially providing access to information across • Service Interruption: Ransomware can shut down
various connected systems digital assets such as payment platforms or citizen
portals, grinding municipal operations to a halt
Financial Impact
• Emergency Services: Attacks that shut down 911 or
311 dispatch systems could put lives at risk

76
 Read more: Boosty | Sponsr | TG

• System Downtime: Government employees may be left • Emergency Services: Attacks that shut down 911 or
without their systems, resorting to manual processes 311 dispatch systems could put lives at risk
Financial Impact • System Downtime: Government employees may be left
without their systems, resorting to manual processes
• Costs: Between 2018 and December 2023, ransomware
attacks on US government organizations cost an Financial Impact
estimated $860.3 million
• Costs: Between 2018 and December 2023, ransomware
• Ransom Payments: Governments may be forced to pay attacks on US government organizations cost an
ransoms or face the costly decision to rebuild systems estimated $860.3M; The average cost of an educational
ransomware attack was $2.73M per cyber incident.
Reputational Damage
• Ransom Payments: Governments may be forced to pay
• Public Trust: A ransomware attack can damage the ransoms or face the costly decision to rebuild systems
reputation of government entities, potentially resulting
in the loss of public confidence Reputational Damage
• Perception of Security: Successful attacks may be seen • Public Trust: A ransomware attack can damage the
as an indication of weak security practices, leading the reputation of government entities, potentially resulting
public to question the government's ability to protect in the loss of public confidence
sensitive information
• Perception of Security: Successful attacks may be seen
Data Breach and Privacy Concerns as an indication of weak security practices, leading the
public to question the government's ability to protect
• Sensitive Information: Governments risk losing sensitive information
control of classified, confidential, and personal
information, such as social security numbers or credit Data Breach and Privacy Concerns
card information
• Sensitive Information: Governments risk losing
• Data Loss: Ransomware can render data and systems control of classified, confidential, and personal
unusable, leading to potential data loss if backups are information, such as social security numbers or credit
not available or are compromised card information
Legal and Regulatory Consequences • Data Loss: Ransomware can render data and systems
unusable, leading to potential data loss if backups are
Governments may face legal consequences and fines for not available or are compromised
non-compliance with data protection regulations if citizen data
is compromised Legal and Regulatory Consequences
Long-Term Effects Governments may face legal consequences and fines for
non-compliance with data protection regulations if citizen data
• Learning and Monetary Loss: Ransomware attacks on is compromised
schools, for example, can cause learning loss as well as
monetary loss Long-Term Effects
• Psychosocial Impact: There may be significant short- • Learning and Monetary Loss: Ransomware attacks on
and long-term social and psychological effects on schools, can cause learning loss as well as monetary loss
individuals affected by the attacks
• Psychosocial Impact: There may be significant short-
Increased Frequency of Attacks and long-term social and psychological effects on
individuals affected by the attacks
There has been a significant increase in ransomware attacks
on government organizations, with a 313% rise in endpoint Increased Frequency of Attacks
security services incidents reported
There has been a significant increase in ransomware attacks
9) Education on government organizations, with a 313% rise in endpoint
Ransomware attacks can cripple educational institutions, security services incidents reported
leading to direct financial losses, operational halts, long-term
10) Information Technology
reputational damage, and legal consequences. The education
Ransomware attacks can cripple IT businesses, leading to
sector's reliance on digital systems and the handling of sensitive
direct financial losses, operational halts, long-term reputational
student and staff data make it a lucrative target for
damage, and legal consequences.
cybercriminals.
Operational Disruption
Operational Disruption
• Service Interruption: Ransomware can disrupt IT
• Service Interruption: Ransomware can shut down operations by encrypting or rendering systems and data
digital assets such as payment platforms or citizen
inaccessible, leading to delays in services and
portals, grinding municipal operations to a halt potentially causing significant operational disruptions

77
 Read more: Boosty | Sponsr | TG

• Network Infiltration: The interconnected nature of IT • Service Interruption: Ransomware attacks can disrupt
networks increases the risk of infiltration, potentially utilities operations by encrypting or rendering systems
providing access to information across various and data inaccessible, leading to delays in services and
connected systems potentially causing significant operational disruptions
Financial Impact • Network Infiltration: The interconnected nature of
utilities networks increases the risk of infiltration,
• Revenue Loss: Organizations may experience a decline potentially providing access to information across
in revenue or a complete halt of operations while various connected systems
recovering from a ransomware attack, even if they have
functional backups Financial Impact
• Ransom Payments and Recovery Costs: Companies • Revenue Loss: Organizations may experience a decline
may face significant costs related to ransom payments, in revenue or a complete halt of operations while
system recovery, legal fees, and other related expenses recovering from a ransomware attack, even if they have
functional backups
Reputational Damage
• Ransom Payments and Recovery Costs: Companies
• Customer Trust: A successful attack can damage the may face significant costs related to ransom payments,
reputation of IT companies, leading customers to system recovery, legal fees, and other related expenses
conduct business elsewhere due to perceived weak
security practices Reputational Damage
• Brand Damage: The perception of an "unsafe" business • Customer Trust: A successful attack can damage the
can be more damaging than the immediate financial reputation of utilities companies, leading customers to
loss, affecting the company's reputation conduct business elsewhere due to perceived weak
security practices
Data Breach and Privacy Concerns
• Brand Damage: The perception of an "unsafe" business
• Sensitive Data Exposure: IT companies house can be more damaging than the immediate financial
extensive customer and operational data. Ransomware loss, affecting the company's reputation
attacks can lead to breaches of sensitive data, exposing
customers to privacy risks Data Breach and Privacy Concerns
• Double Extortion: Attackers may threaten to release • Sensitive Data Exposure: Utilities companies house
sensitive data if the ransom is not paid, leading to extensive customer and operational data. Ransomware
double-extortion attacks attacks can lead to breaches of sensitive data, exposing
customers to privacy risks
Legal and Regulatory Consequences
• Double Extortion: Attackers may threaten to release
If customer data is compromised, IT companies may face sensitive data if the ransom is not paid, leading to
legal consequences and fines for non-compliance with data double-extortion attacks
protection regulations
Legal and Regulatory Consequences
Supply Chain and Third-Party Risks
If customer data is compromised, utilities companies may
Ransomware attacks can extend beyond the directly affected face legal consequences and fines for non-compliance with data
IT company, impacting clients, partners, and suppliers protection regulations
Intellectual Property Theft Supply Chain and Third-Party Risks
Ransomware attacks pose a risk of intellectual property theft, Ransomware attacks can extend beyond the directly affected
potentially harming competitive advantages and innovative utilities company, impacting clients, partners, and suppliers
efforts
Intellectual Property Theft
Long-Term Espionage
Ransomware attacks pose a risk of intellectual property theft,
Some attacks on IT companies are conducted by highly potentially harming competitive advantages and innovative
sophisticated threat groups aiming for long-term espionage efforts
11) Utilities Long-Term Espionage
Ransomware attacks can cripple utilities businesses, leading
to direct financial losses, operational halts, long-term Some attacks on utilities companies are conducted by highly
reputational damage, and legal consequences. sophisticated threat groups aiming for long-term espionage
Operational Disruption

78
 Read more: Boosty | Sponsr | TG

XV. ALPHV

79
 Read more: Boosty | Sponsr | TG

previously published as part of their extortion strategy. The

group also claimed that the FBI only had decryption keys for
about 400 companies, leaving more than 3,000 victims with
encrypted data. In retaliation, AlphV lifted its self-imposed ban
on attacking critical infrastructure sectors, including healthcare
and nuclear facilities.
The back-and-forth between the FBI and AlphV led to
multiple instances of the website being seized and then
"unseized," showcasing a tug-of-war over control of the site.
Despite these events, the FBI and its partners continue to
investigate and pursue the individuals behind BlackCat, with the
goal of bringing them to justice.
B. AlphV ransomware
The ALPHV ransomware operates by running with an access
token consisting of a 32-byte value. It comes with an encrypted
configuration that contains a list of services/processes to a list of
whitelisted directories/files/file extensions, and a list of stolen
credentials from the victim environment. The ransomware scans
the volumes on the local machine, mounts all unmounted
volumes, and starts encrypting files. It also deletes all Volume
Shadow Copies, making it harder for victims to recover their
data.
Ransomware has evolved to include more complex
Abstract – This document presents a analysis of the Alpha arguments, making it harder to detect. Its configuration data is
ransomware site, associated with the ransomware group also known not JSON formatted, but raw structures, and it contains junk
as BlackCat. The analysis covers the ransomware technical details, code and thousands of encrypted strings which hinder static
including its encryption mechanisms, initial access vectors, lateral analysis.
movement techniques, and data exfiltration methods.
ALPHV ransomware has been observed to exploit
The insights gained from this analysis are important for vulnerabilities in exposed services or weak credentials for initial
cybersecurity practitioners, IT professionals, and policymakers. access. It also uses tools like ExMatter to steal sensitive data
Understanding the intricacies of AlphV/BlackCat ransomware before deploying ransomware.
enables the development of more effective defense mechanisms,
enhances incident response strategies. C. AlphV Tactics
The ALPHV ransomware employs several distribution tactics
A. Introduction to compromise systems:
The AlphV ransomware site, associated with the • Phishing Emails: These deceptive messages are crafted
ransomware group also known as BlackCat, experienced a series to lure victims into opening malicious content, often
of disruptions and takedowns by the FBI, followed by attempts disguised as legitimate communications
by the group to regain control. On December 19, 2023, the FBI,
in a coordinated effort with international law enforcement, • Malvertising: This involves the use of malicious
seized the group’s website and shared a seizure notice on the advertisements to distribute malware. The ALPHV
leak site. This action was part of a disruption campaign against ransomware group has been known to manipulate
the BlackCat ransomware group, which has targeted the Google Ads to lead unsuspecting users to malicious sites
computer networks of over 1,000 victims worldwide, including
• Infected Software Installers: The group often uses
those supporting U.S. critical infrastructure.
infected software installers to deliver the ransomware.
The FBI also developed a decryption tool that was provided This includes cloned webpages of legitimate
to hundreds of ransomware victims globally, enabling organizations, which are used to distribute malware via
businesses, schools, healthcare, and emergency services to infected links or files
recover and come back online. However, AlphV officials
quickly responded by regaining temporary control of their site • Exploitation of Software Vulnerabilities: The group
and posting a new notice stating, "This website has been exploits vulnerabilities in Windows operating systems,
unseized." They downplayed the significance of the FBI's action exchange servers, and Secure Mobile Access products
and announced that 'VIP' affiliates would receive a private to gain access to victims' networks
program on separate isolated data centers. • Triple Extortion Method: This emerging threat
Despite the initial success of the FBI's seizure, the AlphV involves stealing data from local machines and cloud
site came back online, stripped of all references to victims servers, executing ransomware, and then introducing

80
 Read more: Boosty | Sponsr | TG

additional pressure on the victim via DDoS attacks or favored due to their decentralized nature and the anonymity they
data leaks provide to the recipients. The ransom amounts demanded by
ALPHV are often exorbitant, ranging from five to six digits in
D. AlphV Entry Points USD. However, it's worth noting that the threat actors have been
The ALPHV ransomware has been identified as one of the known to negotiate and accept payments below the initial
most prolific ransomware-as-a-service variants in the world, ransom demand
affecting various sectors including Manufacturing, Technology,
Retail & Wholesale, Finance, Healthcare and Public Health, F. AlphV Targets
Government and Energy, and Professional Services. The ALPHV ransomware has been found to target
organizations of various sizes. According to data from ransom
The initial entry points of ALPHV ransomware into victim leak sites, the most victims come from companies with 51-200
networks are primarily through compromised user credentials employees, accounting for 20.57% of the total. This is followed
and exploiting software vulnerabilities. For instance, ALPHV by companies with less than 50 employees, which make up
affiliates have been observed targeting publicly exposed Veritas 16.91% of the victims:
Backup Exec installations, which were vulnerable to specific
CVEs, for initial access to victim environments. • Companies with 501-1,000 employees: 7.12%
In the healthcare sector, ransomware attacks often exploit • Companies with 1,000-5,000 employees: 9.92%
multiple possible entry points, including phishing emails,
software vulnerabilities, Remote Desktop Protocol attacks, and • Companies with 5,000-10,000 employees: 2.38%
drive-by downloads from malicious websites. The ALPHV • Companies with 10,000+ employees: 4.46%
ransomware has been a significant threat to the Healthcare and
Public Health (HPH) sector. However, it's important to note that there is a category
labeled "unknown," accounting for 27.87% of the total,
In the financial sector, ALPHV ransomware attacks have indicating that the company size of some victims is not know.
underscored the need for enhanced incident detection
capabilities and robust, timely reporting in the face of evolving In the fourth quarter of 2022, BlackCat's successful attacks
cyber threats. primarily targeted small businesses, making up 38.9% of the
total, followed by midsize companies at 28.6%.
In the technology sector, the ALPHV ransomware gang has
been known to compromise digital lending technology vendors, ALPHV ransomware targets a wide range of organizations
as seen in the attack on MeridianLink. across multiple sectors:
In the government sector, the disruptions caused by the • Healthcare Organizations: ALPHV has been linked to
ransomware variant have affected U.S. critical infrastructure, attacks on healthcare organizations, including the
including government facilities. leaking of sensitive images of breast cancer patients.
Norton Healthcare was also a victim of an ALPHV
In the energy sector, the ALPHV ransomware has been attack
observed to target networks that support U.S. critical
infrastructure. • Financial Institutions: Fidelity National Financial was
targeted by ALPHV. The ransomware group also
In the professional services sector, the ALPHV ransomware
claimed a breach in the systems of accounting software
has been known to target legal, IT, industrial, and financial
vendor Tipalti, with plans to extort the vendor's clients
services.
In addition to these methods, ALPHV ransomware also • Oil Companies: Two German oil companies were
leverages Windows administrative tools and Microsoft targeted by the BlackCat ransomware group
Sysinternals tools during compromise. It's also worth noting that • Hospitality and Entertainment: High-profile attacks
some ALPHV affiliates exfiltrate data and extort victims without have been linked to ALPHV, including those on MGM
ever deploying ransomware. Resorts and Caesars Entertainment
E. Encryption and Payments methods • Manufacturing and Warehousing: ALPHV has
ALPHV ransomware employs sophisticated encryption targeted a manufacturer and a warehouse provider
methods to lock victims' data. The ransomware uses a
• Government Facilities and Emergency Services: The
combination of symmetric and asymmetric encryption, although
DOJ connected the ALPHV ransomware variant to
specific details about these algorithms are not publicly disclosed.
attacks against U.S. critical infrastructure, including
More specifically, ALPHV ransomware uses either AES or
government facilities and emergency services
ChaCha20 encryption, depending on its configuration. The
ransomware generates a random AES key for each file, which is • Schools: Schools have also been targeted by ALPHV
then encrypted using an RSA public key stored in the BlackCat
configuration. The file is then encrypted using AES. • Defense Industrial Base Companies: These companies
have been targeted by ALPHV as part of its attacks on
As for payment methods, ALPHV ransomware affiliates U.S. critical infrastructure
typically request ransom payments in cryptocurrencies,
specifically Bitcoin and Monero. These cryptocurrencies are 1) Healthcare Organizations industry

81
 Read more: Boosty | Sponsr | TG

This ransomware variant has been involved in numerous notable increase in both the frequency and sophistication
incidents, affecting healthcare organizations by encrypting of these incidents. Financial organizations are attractive
sensitive data, including patient information, and demanding targets due to the vast amounts of sensitive customer and
ransom for decryption keys. The attacks have not only led to partner data they hold, making them ideal for double-
financial losses but also posed serious risks to patient care and extortion attacks. The Clop, LockBit, and
safety. The aggressive enforcement actions by law enforcement ALPHV/BlackCat ransomware groups have been
agencies, including the development of decryption tools, have particularly active in targeting this sector
provided some relief to victims.
• Impact on Financial Operations: Attacks on financial
Notable Attacks and Impacts institutions can have severe consequences, including the
disruption of critical financial services and trading
• McLaren HealthCare Ransomware Attack: A activities. For instance, a suspected ransomware attack
significant ransomware attack on McLaren HealthCare, against the U.S. trading arm of the Industrial and
a large Michigan healthcare provider, highlighted the Commercial Bank of China disrupted trading in the U.S.
vulnerability of healthcare systems to cyber threats. Treasury market, underscoring the potential for
• Targeting of Hospitals and Healthcare Networks: ransomware to impact financial stability
The ALPHV/BlackCat ransomware group has attacked Law Enforcement Response and Industry
numerous hospitals, exposing sensitive patient data and Recommendations
placing patient care and lives at risk. These attacks have
been part of a broader pattern of targeting networks that • Infrastructure Takedown Efforts: Law enforcement
support U.S. critical infrastructure agencies, including the FBI, have taken action against
the infrastructure of the ALPHV ransomware group.
• Impact on Patient Care and Data Security: The These efforts aim to disrupt the group's operations and
ransomware attacks on healthcare organizations have mitigate the threat they pose to critical sectors, including
had devastating effects, including the disruption of financial institutions
healthcare services, exposure of sensitive health
information, and financial losses. • Cybersecurity Measures: Financial institutions are
advised to enhance their cybersecurity defenses to
Law Enforcement Response protect against ransomware threats. This includes
• DOJ Disruption Campaign: The Department of Justice investing in skilled personnel, advanced tools, and
(DOJ), in collaboration with the FBI and international fostering a culture of proactive defense. Regular
partners, launched a disruption campaign against the training, continuous monitoring, and collaboration
ALPHV/BlackCat ransomware group. This campaign within the cybersecurity community are essential
aimed to mitigate the threat posed by the ransomware to strategies to combat sophisticated ransomware groups
critical infrastructure, including the healthcare sector like ALPHV/BlackCat.
• FBI Decryption Tool: As part of the disruption efforts, 3) Oil Companies industry
the FBI developed a decryption tool that was provided The group operates under a ransomware-as-a-service (RaaS)
to victims of the ALPHV ransomware, including model and has targeted organizations worldwide, including
healthcare organizations. This tool helped save victims many in the United States
from ransom demands totaling approximately $68 Notable Attacks and Impacts
million, enabling affected businesses and healthcare ALPHV ransomware, also known as BlackCat, has targeted
facilities to recover and resume operations the oil industry with significant attacks. Notably, the group
2) Financial Institutions industry exposed 400 GB of data claimed to be stolen from Encino
The ALPHV has posed a significant threat to the financial Energy, Ohio's primary oil producer. Despite this, Encino
institutions industry, leveraging sophisticated tactics to target Energy reported no impact on their operations from the attack.
banks, insurance companies, and other financial service In Europe, ALPHV was implicated in an attack on German oil
providers. This ransomware variant is known for its stealthy companies Mabanaft and Oiltanking, which disrupted their
operations, aiming to encrypt files, steal sensitive data, and loading and unloading systems and forced energy giant Shell to
demand ransom, often employing double-extortion tactics. reroute supplies. These attacks demonstrate ALPHV's
capability to target and disrupt critical energy infrastructure.
Notable Attacks and Impacts Law Enforcement Response
• Fidelity National Financial Attack: One of the most Law enforcement agencies, including the FBI, have taken
high-profile incidents involved Fidelity National action against the infrastructure of the ALPHV ransomware
Financial, a Fortune 500 provider of title insurance. The group. The FBI and international law enforcement agencies
ALPHV/Black Cat group claimed responsibility for this infiltrated and shut down the group's infrastructure, which had
cyberattack, which led to disruptions in title insurance, targeted more than 1,000 victims over 18 months. While no
escrow, and other related services. arrests were announced as part of the takedown, the operation
• Increased Ransomware Threats: The financial represents a significant effort to disrupt the activities of
industry has seen a surge in ransomware attacks, with a

82
 Read more: Boosty | Sponsr | TG

ransomware groups targeting critical sectors like the oil company IT and/or helpdesk staff and use phone calls or SMS
industry. messages to obtain access to systems.
4) Hospitality and Entertainment industry Another notable attack was on Clarion, a global
Alphv has targeted the hospitality and entertainment industry manufacturer of audio and video equipment for cars and other
with several high-profile attacks. The group's operations are vehicles. The group claimed to have leaked confidential data
characterized by the theft of sensitive data, including customer about their business and their partners, including the
personal and financial information, followed by demands for engineering information of the company’s customers.
ransom. The sophisticated tactics employed by the group Organizations should also be aware that the group targets
include the use of social engineering and malvertising. both Windows and Linux devices, as well as network-attached
Notable Attacks and Impacts storage (NAS) devices, which are often used to store backups
• LBA Hospitality Attack: ALPHV targeted LBA and sensitive data.
Hospitality, which manages hotels under major chains 6) Government Facilities and Emergency Services industry
like Marriott and Hilton. The group claimed to have The Alpvh has significantly impacted the government
compromised around 200GB of "highly confidential" facilities and emergency services industry. This ransomware
internal company data, including client and employee variant, recognized for its sophisticated tactics and global reach,
personal details, financial reports, credit card has targeted critical infrastructure, including government
information, and more facilities and emergency services, causing disruptions and
• MGM Resorts International Attack: ALPHV was posing threats to national security and public safety.
responsible for a cyberattack on MGM Resorts, causing Notable Attacks and Impacts
significant operational disruptions. The attack disabled • Disruption to Critical Infrastructure: The ALPHV
online reservation systems, digital room keys, slot ransomware variant has been connected to attacks
machines, and websites. The group used social against U.S. critical infrastructure, encompassing
engineering tactics to gain access to MGM's systems and government facilities and emergency services.
deployed ransomware to more than 100 ESXi • Global Scale of Operations: ALPHV/BlackCat has
hypervisors within MGM’s network emerged as the second most prolific ransomware-as-a-
• Caesars Entertainment Attack: Caesars Entertainment service variant globally. Its activities have led to
was another victim of ALPHV, which resulted in at least significant global repercussions, with the group
$100 million in damages and a reported ransom payment compromising over 1,000 entities worldwide.
of $15 million • Financial Impact and Ransom Payments: The group
• Westmont Hospitality Group Breach: has demanded over USD 500 million in ransoms and
ALPHV/BlackCat ransomware gang claimed to have received nearly USD 300 million in payments. This
breached Westmont Hospitality Group, one of the financial impact highlights the lucrative nature of
world's largest privately-held hospitality businesses ransomware operations targeting critical sectors,
• Motel One Data Breach: The group attacked the hotel including government facilities and emergency services
chain Motel One and threatened to leak 6 TB of stolen Law Enforcement Response
data, including customer contact details, internal • DOJ Disruption Campaign: The Department of
documents, and credit card data Justice, in collaboration with the FBI and international
Tactics and Techniques partners, launched a disruption campaign against the
The group has been known to abuse Google search ads to ALPHV/BlackCat ransomware group. This campaign
spread ransomware, using major brands as lures to direct users aimed to mitigate the threat posed by the ransomware to
to malicious sites. They also employ social engineering tactics, critical infrastructure, including government facilities
such as spear-phishing and calling help desks to gain access to and emergency services
networks. • FBI Decryption Tool: As part of the disruption efforts,
5) Manufacturing and Warehousing industry the FBI developed a decryption tool provided to victims
The Alphv has been linked to a series of high-profile attacks of the ALPHV ransomware, including those in the
on various sectors, including manufacturing and warehousing. government facilities and emergency services industry.
The group has targeted more than 1,000 victims over the past This tool helped save victims from ransom demands
18 months, making it the second-most prolific ransomware-as- totaling approximately USD 68 million, enabling
a-service group in the world. affected entities to recover and resume operations
Notable Attacks and Impacts 7) Schools industry
One of the most significant attacks attributed to the ALPHV ransomware has targeted the education sector,
previously mentioned ALPHV/BlackCat group was on MGM including K-12 schools, universities, and other educational
Resorts International. The ALPHV/BlackCat ransomware institutions. These attacks have disrupted educational processes
group has also been observed using Google Ads to distribute and compromised sensitive student and staff data. The sector's
malware, targeting businesses including a manufacturer and a susceptibility to cyber threats, due to often limited resources
warehouse provider. ALPHV/BlackCat affiliates often pose as and a large number of potential adversaries, necessitates a
proactive approach to cybersecurity, including regular updates,

83
 Read more: Boosty | Sponsr | TG

employee training, and the implementation of strong security and also threaten to leak stolen data. This approach puts
protocols. additional pressure on the victims to pay the ransom
Notable Attacks and Impacts • Exploitation of Vulnerabilities: The leading cause of
• Increased Ransomware Attacks: There has been a ransomware attacks in the education sector has been the
sharp increase in ransomware attacks on schools, with a exploitation of vulnerabilities in devices. Schools often
17 percent rise in such incidents. The attacks have lack the resources for robust cybersecurity measures,
involved the encryption of files and threats to leak stolen making them susceptible to such attacks
data if ransoms are not paid 8) Defense Industrial Base Companies industry
• High-Profile School Districts Affected: School The Alpvh has targeted a wide array of sectors, including the
districts such as Dallas Public Schools and Minneapolis defense industrial base companies. This focus on critical
have been among the high-profile victims of ransomware infrastructure sectors underscores the strategic approach of the
attacks. group to compromise entities that are vital to national security
• Global Reach: The attacks on schools have not been and economic stability.
limited to the United States; educational institutions in Notable Attacks and Impacts
the United Kingdom, Australia, Germany, France, and • Targeting Critical Infrastructure: The Department of
Brazil have also encountered ransomware attacks Justice (DOJ) has identified the defense industrial base
• Impact on Educational Operations: Ransomware companies as one of the critical infrastructure sectors
attacks on schools can lead to significant operational targeted by the ALPHV ransomware variant.
disruptions, including the interruption of the application • Financial and Operational Impact: The global losses
process, operations, and classes. In some cases, the attributed to ALPHV, which employs multiple-extortion
attacks have been severe enough to contribute to the attack models, are substantial. The group's activities
closure of schools have resulted in significant financial demands and have
Tactics and Techniques underscored the potential for operational disruptions
• Double Extortion: ALPHV ransomware operators often within the defense sector
employ double extortion tactics, where they encrypt files

84
Read more: Boosty | Sponsr | TG

85