24 September 2021 | Asia Cyber Summary

FEATURE VIDEO: The Current and Future State of Ransomware

What can organisations do to protect themselves against ransomware? Watch this fireside chat as Blackpanda’s Nathan Reid, Director of DFIR, and Horangi’s Mark Fuentes, Director of Cyber Security Operations and Strategic Services, discuss this question, and share their thoughts on the present and future ransomware threat landscape.

Watch Here: https://youtu.be/kzmne-3ml0E

In the spotlight this week:

  • Ransomware payments made in half of global attacks

  • Ongoing Phishing Campaign Targets APAC, EMEA Governments

  • Details of 100m visitors to Thailand exposed online

  • New Capoae Malware Infiltrates WordPress Sites and Installs Backdoor Plugin

  • Microsoft Warns of a Wide-Scale Phishing-as-a-Service Operation

Ongoing Phishing Campaign Targets APAC, EMEA Governments

Government departments in at least 7 countries in the Asia-Pacific (APAC) and Europe, the Middle East and Africa (EMEA) regions have been targeted in a phishing campaign. Focused on credential harvesting, the attacks most likely started in the first half of 2020, when the phishing domains used as part of the campaign were transferred to their current host, security researchers say.

At least 15 pages remain active, targeting the governments of countries such as Belarus, Georgia, Kyrgyzstan, Pakistan, Turkmenistan, Ukraine, and Uzbekistan. Aimed at compromising the email portals of targeted government departments, this intelligence-gathering campaign is likely the work of a nation-state threat actor.

Details of 100m Visitors to Thailand Exposed Online

More than 106 million travellers to Thailand had their personal details exposed online in August. A cybersecurity research company that discovered the data leak said the breach was quickly plugged by authorities.

Any foreigner who travelled to Thailand in the last decade might have had their information exposed in the incident, including their name, passport number and residency status. Thai authorities were informed on August 22 and secured the data the following day. "However we do not know how long the data was exposed prior to being indexed," said the report. Thai authorities "maintain the data was not accessed by any unauthorised parties", it added. Thailand's Cyber Crime Investigation Bureau said it was unaware of the incident but was looking into it.

Ransomware Payments Made in Half of Global Attacks

As ransomware attacks grow increasingly frequent, more than half of the targeted organizations in seven major markets have made payments, according to a recent survey. Roughly 2,400 out of 3,600 companies and organizations surveyed by U.S. cybersecurity specialists faced a ransomware attack in 2020, with 52% paying the attacker in the hopes of restoring access to data. American entities paid in 87% of cases, followed by 59% and 54% by British and German concerns. A third of Japanese targets made payments.

Payments without due consideration encourage more ransomware threats, fostering conditions for cyberterrorism. Companies face the task of maintaining the latest cyberdefenses while taking such steps as timely reporting to the authorities and sharing information with industry trade groups.

New Capoae Malware Infiltrates WordPress Sites and Installs Backdoor Plugin

A recently discovered wave of malware attacks has been spotted using a variety of tactics to enslave susceptible machines with easy-to-guess administrative credentials to co-opt them into a network with the goal of illegally mining cryptocurrency.

The PHP malware — codenamed "Capoae" (short for "Сканирование," the Russian word for "Scanning") — is said to be delivered to the hosts via a backdoored addition to a WordPress plugin called "download-monitor," which gets installed after successfully brute-forcing WordPress admin credentials. Once they've been infected, these systems are then used to mine cryptocurrency The Capoae campaign's use of multiple vulnerabilities and tactics highlights just how intent these operators are on getting a foothold on as many machines as possible.

Microsoft Warns of a Wide-Scale Phishing-as-a-Service Operation

Microsoft has opened the lid on a large-scale phishing-as-a-service (PHaaS) operation that's involved in selling phishing kits and email templates as well as providing hosting and automated services at a low cost, thus enabling cyber actors to purchase phishing campaigns and deploy them with minimal efforts.

With over 100 available phishing templates that mimic known brands and services, the BulletProofLink operation is responsible for many of the phishing campaigns that impact enterprises today. BulletProofLink is known to operate an online portal to advertise their toolset. Customers pay anywhere between $80 to $100 for credential phishing templates that allow them to steal credentials entered by unsuspected victims upon clicking a malicious URL in the email message.

Subscribe Here to receive Blackpanda thought leadership, webinar invitations, and cyber intelligence direct to your inbox.