Introduction

Cyjax monitors critical asset information across the clear, deep, and darknet for businesses of all sizes across various industry verticals. We have serviced two major pharmaceutical companies for many years, providing timely and actionable intelligence. We have worked closely with their security operations teams, helping to reduce their risk of incidents by monitoring threats and vulnerabilities across their infrastructure. In this report, we explain how we monitor and visualize information, along with a sample of our outputs.

Cyjax - The Service

At Cyjax, we follow a two-pronged approach: automated monitoring through our threat intelligence platform, combined with analyst support to develop precursor intelligence reporting for our clients. Using proprietary dashboard technology, we can map out incidents specific to your vertical and develop a clear understanding of emerging threats and vulnerabilities to your critical assets. We monitor your people, office locations, technology stack, brands, and third-party suppliers against a vast and varied set of sources.

Additionally, we track threat actors actively targeting your sector and analyze the tactics, techniques, and procedures (TTPs) used to infiltrate similar organizations, helping you better protect your own. We also collect contextualized indicators of compromise (IOCs) that can be seamlessly integrated with any SIEM or third-party tool. Our TTPs and IOCs provide a comprehensive intelligence and protection package to mitigate potential intrusions.

We also provide coverage around brand infringement, intellectual property, and illegal trading of your products through our darknet monitoring:

Cyjax Reporting

Our team of highly skilled analysts focuses primarily on open-source intelligence (OSINT) to protect our clients by understanding their digital footprint and attack surface. This is critical in identifying vulnerabilities or threats. When a potential risk is discovered, we gather as much information as possible, providing context and appropriate mitigation strategies, enabling clients to make informed business decisions to protect their organizations. Below is a list of sample outputs.

We monitor exposed RDP connections, which, along with vulnerable VPNs, have become primary initial access vectors for networks. Recently, we've seen numerous ransomware attacks where RDP connections were brute-forced to facilitate an attack.

Sample Output 1 - Exposed RDP Connection Discovered

We have identified a [redacted] IP address with Remote Desktop Protocol seemingly exposed.

Sample Output 2 - Threat Actor Selling Information from Multiple UAE-based Healthcare Organizations (14 August 2020)

The threat actor claims to be selling data related to several healthcare organizations based in the UAE. The actor has previously targeted healthcare organizations in the MENA region. The post below was taken from an online forum.

Note: Further stolen data samples have been redacted.

The actor has a mixed reputation in terms of credibility. However, given the number of samples provided as evidence, this database appears to be a genuine leak. While the source is unknown, the number of affected organisations across the UAE points to this database being stolen from a central health authority or regulatory body.

Moreover, the type of personal information exposed in this database - email addresses, full names, DOB, place of work and hashed passwords - makes it an invaluable resource for committing further criminal activity.

Sample Output 3 - Avaddon Ransomware Operators Announce New Data Leaks Blog (Originally Published on 11.08.2020)

The Avaddon ransomware operators have launched a data leaks blog to publish stolen data from victims who do not pay their ransom. The announcement was made on a darknet forum, where the group stated they are still recruiting new affiliates and seeking RDP access to systems.

There is currently only one entry on the group’s blog: EFCO Forms (or EFCO Formwork Solutions), a US-basedconstruction company. The group has leaked 3.5MB of documents from the organisations, which includes employee names, addresses, job titles, phone numbers, and email addresses, as well as invoices, UK customer orders, and commercial data.

Analyst Comment: Avaddon is a relatively new ransomware. In June 2020 Cyjax discovered the new Avaddon ransomware-as-a-service being advertised on Russian darknet forums, with its operators recruiting affiliates. Within days of this discovery, researchers began to observe attacks in the wild. Avaddon has also been linked to the Phorpiex botnet and Nemucod downloader. The Maze ransomware operators were pioneers of the tactic of stealing victim data and using it for extortion; the group introduced the concept of a leaks blog to put pressure on victims in early 2020. This is a tactic that has now been adopted by many ransomware operators, meaning that all companies should now accept that a ransomware attack likely equates to a data breach.

Update (27.08.2020): Cofense has now reported that Avaddon is being distributed alongside Raccoon Stealer, an infostealer, in a campaign targeting several industry sectors including energy, healthcare, insurance, manufacturing, mining and retail. The researchers believe that this is another indication of the Avadon operator's willingness to exfiltrate data and use it to extort victims. This campaign appears to have successfully evaded secure email gateways (SEG) and the two payloads are being pushed by the Smoke Loader downloader Trojan.[1]

Sample Output 4 - New APT29 Activity Disclosed, More WellMess Samples Uncovered

Kaspersky’s Brian Bartholomew has shared new activity linked to Advanced Persistent Threat group 29 (@APT29). Several ELF binaries of the WellMess malware were uploaded to VirusTotal by a user in China. The samples are reportedly UPX-packed and also share similarities with the ELF version of the WellMail malware.[2]

Note: IOCs for this threat are available to subscribers.

Analyst Comment: WellMess is Golang malware that has been used by @APT29 since at least 2018. It was first reported by JPCERT/CC and is designed to execute arbitrary shell commands and can upload and download files. WellMess supports HTTP, TLS, and DNS communication methods with the APT actors’ C&C servers.

In July, the UK NCSC and US NSA released a joint public security advisory stating that a Russian state-sponsored group, tracked as @APT29, had been infiltrating organisations involved in coronavirus vaccine development.[3] The malware involved in these attacks included WellMess, WellMail, and SoreFang.

@APT29 (also known as @CozyBear, @TheDukes, or @YTTRIUM) is likely to continue to target organisations involved in COVID-19 vaccine research and development. The group has vast resources and skills: a resurgence from it would be a major security concern, particularly for the US and its allies. With the 2020 US presidential election looming, as well as the Tokyo 2021 Olympics, it is possible that these Russian threat groups may be more active in the coming months.

Conclusion

We have worked tirelessly throughout this pandemic to help protect our pharmaceutical clients whilst they continue to press ahead with vaccine research. In this report, we have provided an overview of our service and a sample of outputs that these clients typically receive as part of our offering. We would be delighted to deliver our full capability to you, as we believe Cyjax can help in better protecting your critical assets.

Sources

[1] Cofense Avaddon Ransomware Data Exfiltration Trend
[2] Mao_Ware Twitter
[3] UK and Allies Expose Russian Attacks on COVID-19 Vaccine Development