CYFIRMA: Cybersecurity Dossier
Threat Actor in Focus -LightSpy: A State-Sponsored Threat Resurfaces for Espionage in Southern Asia
The sophisticated group of native Chinese speakers believed to be behind LightSpy are suspected to have ties to state-sponsored activity, potentially working for the Chinese government. This inference is supported by infrastructure and functionality overlaps observed between the LightSpy malware and that used by MISSION2025, also known as APT41, a Chinese state-sponsored threat actor. These connections raise significant concerns about the geopolitical implications and motives behind the LightSpy campaign. The primary objective of the LightSpy campaign is espionage, with a focus on exfiltrating sensitive information from high-profile targets such as politicians, CEOs, journalists, activists, and diplomats. This includes personal data, financial information, and location tracking. LightSpy utilizes advanced mobile spyware techniques, employing a modular framework with capabilities such as file theft, audio recording, data harvesting, and system access. The attack involves a multi-stage process, likely initiated through compromised news websites. The malware primarily targets iOS devices, particularly Apple iPhones and iPads. It possesses modules designed to exfiltrate data from popular messenger applications like QQ, WeChat, and Telegram, as well as accessing device information, browser history, and media files.
Ivanti RCE (CVE-2024-21894) Vulnerability Analysis and Exploitation
In this comprehensive analysis, CYFIRMA’s Research team has scrutinized CVE-2024-21894, a significant vulnerability sending ripples through cybersecurity spheres and posing a critical risk to global organizations. This vulnerability takes aim at Ivanti’s Connect Secure and Policy Secure gateways, pivotal elements in remote access security. Its exploitation allows for remote code execution (RCE), opening pathways for unauthorized access to sensitive networks by malicious actors. This emphasizes the urgent need for organizations to fortify their cybersecurity frameworks with proactive measures and informed threat intelligence to effectively counter evolving cyber threats. CVE-2024-21894 unveils a critical vulnerability within Ivanti’s Connect Secure and Policy Secure gateways, posing a severe threat of remote code execution (RCE). This vulnerability extends its impact to a wide range of Ivanti’s products, potentially compromising security across approximately 391,480 exposed VPN gateways globally. Addressing this risk necessitates urgent attention from organizations, mandating the application of patches promptly issued by Ivanti. Additionally, bolstering network defenses with heightened security measures becomes imperative to thwart potential exploitation attempts effectively.
Threat to Offshore Infrastructure in a Maritime-Centric Century
The most important evolving threat to the electric grid is associated with cybersecurity and physical security. The power grid in the US, and more so in Europe, is experiencing a transformation as the world shifts to sustainable energy: this transformation, however, is introducing new vulnerabilities to the system as offshore infrastructure is susceptible to physical and cybernetic attacks. Both the US and EU governments have aimed to bolster collaboration between critical infrastructure owners and operators as well as sector risk management agencies, but the hasty nature of the grid transformation will likely leave many openings for sophisticated cyber attackers for years to come. According to strategists, this is a “maritime century“, one in which the very foundations of prosperity rest upon maritime physical and digital connectivity.
CYFIRMA INDUSTRY REPORT : INFORMATION TECHNOLOGY
Welcome to the CYFIRMA infographic industry report, where we delve into the external threat landscape of the Information Technology industry over the past three months. This report provides valuable insights and data-driven statistics, delivering a concise analysis of attack campaigns, phishing telemetry, and ransomware incidents targeting the information technology industry. We aim to present an industry-specific overview in a convenient, engaging, and informative format. Leveraging our cutting-edge platform telemetry and the expertise of our analysts, we bring you actionable intelligence to stay ahead in the cybersecurity landscape. The CYFIRMA Industry Report delivers original cybersecurity insights and telemetry-driven statistics of global industries, covering one sector each week for a quarter. This report focuses on the information technology industry, presenting key trends and statistics in an engaging infographic format.
Ransomware of the Week
CYFIRMA Research and Advisory Team has found Dzen ransomware in the wild while monitoring various underground forums as part of our Threat Discovery Process. Researchers discovered Dzen, a ransomware from the Phobos family, in the wild in early April 2024. Dzen encrypts files, changes their names, and shows two ransom notes named “info.txt” and “info.hta”. It adds the victim’s ID, email address, and “.dzen” to the end of encrypted filenames. The Dzen ransomware presents a complex threat by not just encrypting files but also disabling firewalls, making systems vulnerable to malicious actions. Furthermore, it actively removes Volume Shadow Copies, preventing potential file recovery. Moreover, Dzen includes functionalities to collect location data and use persistence mechanisms, selectively avoiding specific areas in its operations. The ransom note notifies the victim that their data has been encrypted and can only be unlocked with the perpetrators’ software. It warns against independent decryption attempts, stressing the risk of permanent data loss.
Trending Malware of the Week
This week “XploitSPY” is trending. Researchers have identified an ongoing espionage campaign named eXotic Visit targeting Android users. This campaign began in late 2021 and primarily masquerades as messaging apps, distributing these apps via dedicated websites and briefly through the Google Play store, where they had low installation numbers before being removed. The primary targets of this campaign appear to be Android users in Pakistan and India. Researchers have been unable to identify the specific threat group behind this activity, so they internally refer to them as “Virtual Invaders” for tracking purposes. Researchers have identified that the apps in this campaign, which pose as messaging services, actually contain a customized version of the open-source Android RAT known as XploitSPY, harboring malicious code. This malware allows them to extract contact lists, files, GPS location, and file names from directories associated with the camera, downloads, and messaging apps such as Telegram and WhatsApp.
CYFIRMA is a threat discovery and cyber-intelligence company with the world’s first platform that can deliver predictive cyber-intelligence. We combine cyber-intelligence with attack surface discovery and digital risk protection to deliver early warning, personalized, contextual, outside-in, and multi-layered insights. We have built the next generation of AI-powered threat intelligence platform called External Threat Landscape Management (ETLM) to provide cyber defenders with the hacker’s view to help clients prepare for impending attacks.
SCHEDULE A DEMO HERE
Visit www.cyfirma.com