Tiberius Hernandez, Halle Morel, Nageshswarup Shukla, PACOM Team; Keanna Grelicha, Marina Tovar, Counterintelligence and Cyber (CICYBER) Team
Ransomware Scam[1]
Date: January 10, 2022
Location: Singapore
Parties involved: OG department store; Banks; Unknown hackers
The event: Banks, department store chains like OG, and other firms in Singapore experienced phishing scams from late 2021 to the time of this report. From one phishing scam, there was a loss of $8.5 million USD to a Singapore bank in late 2021. Phishing scams are emails sent to individuals that appear to be from a well-known source but contain malware or infected links that allow hackers to enter a system to steal the target’s sensitive data. These cyberattacks resulted in the data breach of OG employee names, birth dates, mailing addresses, and phone numbers. OG’s attack report states that no financial information, such as credit card numbers, was stolen in the breach. The weak cybersecurity of the department store’s third-party vendors is believed to be the cause of the breach. This vulnerability led to the attacks on Singtel and Fullerton Health in Singapore, resulting in data breaches as well. CyberArk Asia Pacific and Japan, a security service company, is investigating the attacks in Singapore. The Vice President of CyberArk, Jeffrey Kok, reported that an increase of attacks resulting in data theft and financial losses leads to other opportunities for hackers to continue attacking and posing future threats to the industry.[2] The attack comes in the context of Singapore prioritizing cybersecurity via international agreements.[3] Singapore recently signed a cybersecurity agreement with Finland that mutually recognizes each country's cyber security policies.[4]
Analysis & Implications:
The malware released when users clicked the link very likely allowed hackers to enter the system where it collected data that very likely granted the hackers access to privileged accounts. Once in the privileged accounts, hackers very likely stole and encrypted company data and assets to hold for ransom. Accessing this type of company data will likely impact the revenue flows and business operations, leading to a decrease in the number of clients and future services.
With access to the privileged accounts, hackers will likely collect additional information such as bank account credentials or passwords to commit identity theft in a future attack. Employees who experience identity theft would almost certainly have to monitor their accounts and finances to report the incident and protect other data that could be accessed, such as credit card numbers. This would likely result in employees quitting if they feel a lack of trust towards the company for not securing their data. A decrease in the number of employees would very likely make the enterprise more vulnerable to an attack as there would be very few personnel monitoring servers or malicious activities relating to a cyberattack.
Attacks targeting employees very likely demonstrate hackers wish to ensure their victims will easily succumb to scams. An inability to detect phishing scams and report malicious activity very likely indicates a lack of employee training to understand different types of scams. The lack of detection within employee accounts very likely resulted in the successful attack. Even if employees are trained, targeting CEOs and senior executives will very likely occur if hackers believe targets cannot determine a fake email from a legitimate one. These attacks will almost certainly continue to be a future threat if employees and employers lack the proper training and necessary knowledge to understand and report email scams.
In light of Singapore recently penning a cybersecurity agreement with Finland, it is very likely this event will lead to further international cooperation. Singapore will very likely use the breach to sign more international agreements to coordinate cybersecurity strategies and acquire cyber capabilities that lessen the probability of a similar attack occurring in the future. New agreements are likely to occur given the scope of this cybersecurity breach likely leading to citizens being more aware of this issue and therefore more likely to approve of politicians seeking to increase cybersecurity.
Date: January 11, 2022
Location: China
Parties involved: VMware Horizon; Microsoft; China-based ransomware group
The event: A Chinese ransomware group conducted a ransomware attack on VMware Horizon, a virtualization platform and cloud service under Microsoft desktop. The ransomware attack targeted certain online vulnerabilities and injected the system with malware with the motivation to leverage data to hold for a price. The ransomware group exploited vulnerabilities within the Log4j operations, a coding database that helps run the cloud service on the desktop. The Log4j is used to track software applications and ensure the online services are operating efficiently. The group deployed new ransomware called NightSky into the system, which helped release the malware to achieve command and control (C2) of the servers to undermine the domain. C2 allows hackers to stay connected on the server to continue the remote attack in the chance the malware alone does not help the threat actors reach sensitive data. Once in the server, the ransomware group continued to execute the attacks against the systems by targeting Microsoft-related systems with NightSky ransomware.[5]
Analysis & Implications:
The NightSky ransomware is almost certainly used to steal data and exploit vulnerabilities in the system through weak connections to reach employees’ data accounts or other software applications. The ability to achieve C2 operations with the NighSky ransomware almost certainly adds to the threat of accessing sensitive data and company credentials faster than without these controls. This feature will likely allow a more effective attack as hackers will likely manipulate the software applications by controlling the commands within the server, likely providing access to the domain that holds all the data. The group will very likely encrypt any sensitive information in the accessed data to later request a ransom to return data.
The vulnerabilities within the Log4j operations very likely allow the ransomware group to move within the system and gather data of the software applications. Without secure patches on the Log4j operations, there will likely be an increase in public-private partnerships under the US Cybersecurity and Infrastructure Security Agency (CISA) as US government agencies and private companies widely use Log4j systems. Chinese ransomware groups will very likely continue to exploit Log4j vulnerabilities to obtain intellectual property or disrupt US critical infrastructure such as supply chains, hospitals, or federal network security. Chinese groups' continued ransomware attacks will almost certainly further strain tensions between the US and China as cyberattacks heighten economic and national security concerns.
If hacker groups use these attacks as an example, the C2 ability will very likely be a technique used in future attacks against VMware Horizon or other companies in the industry. Other companies will likely have Log4j operations, likely making them more vulnerable to an attack. If sensitive information gets leaked or stolen, employees and customers will very likely lose trust in the company to hold sensitive data in secure systems. The lack of trust could likely lead to a decrease in business which could likely impact revenue and services, damaging company prospects and future growth.
Date: January 12, 2022
Location: South Korea
Parties involved: AhnLab; Microsoft Windows; Magniber ransomware group
The event: AhnLab, a South Korean cybersecurity company, reported that the Magniber ransomware group is targeting Microsoft Windows applications with files that have legitimate credentials and certificates but actually introduce malware that acts as Chrome and Edge web browser updates. The ransomware group distributes the malware in the fake Internet browser accessing the website. AhnLab is investigating the attacks as most victims are located in South Korea. Some attacks started as phishing email scams where the individuals opened links with malicious URLs pretending to be a legitimate Microsoft browser update that released the malware inside the system. If the target updated their system with the malicious browser, the browser released the infected files that sent the malware throughout the system. Once in the system, the ransomware group encrypted data and created ransom notes for the targeted enterprises.[6]
Analysis & Implications:
Without recommendations from Microsoft on spotting illegitimate credentials on the Windows files, the Magniber ransomware group will very likely continue using this tactic to extort other potential targets to extract employees or company-sensitive information. Targeting individuals through phishing emails is very likely the type of scam that will succeed if targeted employees do not possess the knowledge to report the email scams. Companies will very likely lack proper system monitoring practices to detect the systems’ applications with fake certificates. If the ransomware group notices companies do not easily flag the fake credentials and certificates, they will very likely continue to exploit other companies and organizations using this tactic.
Microsoft not reporting the fake malicious browser updates will very likely cause complications for companies using the Windows platform. If there is no report from Microsoft, companies will likely assume the legitimate platforms are fake and report the real browser. Companies would likely report Microsoft’s legitimate services if they believe they are fake, likely impacting Microsoft’s reputation and leading to a decrease in revenue flows.
Civilian organizations and citizens’ cyberspace is likely to stay vulnerable to attacks due to a lack of cyber training and awareness. South Korea’s and US Combined Force Command (CFC) will likely provide strong cybersecurity practices and measures to military organizations in South Korea. However, the frequent successful cyberattacks will very likely encourage attackers globally and regionally to carry out more attacks in South Korea’s cyberspace.
Specialty reports are designed to inform clients of existing and emerging threats worldwide. To defeat terrorists and individuals intent on harming, it is critical to understand and investigate them. We collect and analyze intelligence on terrorists and extremists, their organizations, individuals who are threats, and their tactics and attacks to develop solutions to detect, deter, and defeat any act of terrorism or violence against our client. We also conduct investigations to identify persons of interest, threats, and determine the likelihood of a threat and how to stop them. To find out more about our products and services visit us at counterterrorismgroup.com.
[1] “Ransomware Scam” by WikiMedia Commons licensed under Public Domain
[2] Another Singapore company suffers data breach linked to a third-party vendor, CYBERSECasia, January 2022, https://www.cybersecasia.net/news/another-singapore-company-suffers-third-party-data-breach
[3] Finland, Singapore agree mutual recognition of cyber security labels, Telecompaper, October 2021, https://www.telecompaper.com/news/finland-singapore-agree-mutual-recognition-of-cyber-security-labels--1399769
[4] Ibid
[5] VMware Horizon under attack as China-based ransomware group targets Log4j vulnerability, The Daily Swig, January 2022, https://portswigger.net/daily-swig/vmware-horizon-under-attack-as-china-based-ransomware-group-targets-log4j-vulnerability
[6] Magniber ransomware using signed APPX files to infect systems, Bleeping Computer, January 2022, https://www.bleepingcomputer.com/news/security/magniber-ransomware-using-signed-appx-files-to-infect-systems/