Advisories

MyCERT 3rd Quarter 2022 Summary Report  
 
1.0  Introduction
The MyCERT Quarterly Threat Report provides an overview of computer security incidents handled by the Malaysia Computer Emergency Response Team (MyCERT), a department within CyberSecurity Malaysia. This quarterly report also highlights statistics of incidents handled by MyCERT in Q3 2022 according to categories, as well as the list of security advisories released in this quarter. It should be noted that the statistics provided in this report reflect only the total number of incidents reported and handled by MyCERT, excluding elements such as monetary value or aftermaths of the incidents. Computer security incidents handled by MyCERT are those involving IP addresses and domains originating from Malaysia. MyCERT works closely with ISPs, CERTs, Special Interest Groups and LEAs, from local and international, to remediate and mitigate computer security incidents in Malaysia.
 
2.0  Trends Q3 2022
The number of Malaysians using digital devices and connected to the Internet has increased dramatically. As of January 2022, the estimated number of Internet users in Malaysia is 29.55 million out of a total of 32.98 million population. According to the Home Minister, the number of cases recorded associated with cyberbullying, fraud, intrusion, phishing, and email scams had nearly doubled, making cybersecurity one of Malaysia's top concerns in view of the drastic rise in online crimes reported in the country.
In general, MyCERT receives incident reports from local individuals, including Internet users and members of the public, as well as from industries, government, academia and non-profit organisations (NGOs). MyCERT also proactively monitors and gathers insights on cyber threats that could impact national security and critical infrastructure in Malaysia and aids in mitigating these threats.
MyCERT's Cyber999, a cybersecurity incident response centre, received 2,240 incidents from July to September 2022. In comparison, the second quarter (Q2) of 2022 showed a total of 1,977 incidents reported, indicating a 13% increase.

Table 1 below compares the reported incidents for Q2 2022 and Q3 2022 according to incident categories.

Table 1: Comparison of total incidents between Q2 2022 and Q3 2022
 

Table 2: Number of incidents based on months in Q3 2022

Figure 1: Breakdown of reported incidents from July to Sept 2022
 

Figure 2: Percentage of reported incidents by classification
 
Based on the above statistics, there is an upward trend in which a few incidents reported to MyCERT increased in Q3 2022 compared to Q2 2022, with two incidents remaining lower. The one incident, malicious code showed an increase of 24%. For the total incident of Q3 2022, the topmost reported incident is a fraud, representing (57.54%) of the total number of reported incidents to MyCERT. This is followed by spam  (15.18%) and malicious code (13.75%). 
Based on the current and past trends, malware-related incidents will most likely continue to grow in Malaysia. They will always be among the top reported incidents to MyCERT if Internet users do not take proper security measures to prevention. This is followed by fraud incidents that could potentially continue to grow in Malaysian cyberspace.
2.1 Top Fraud Incidents Reported by Malaysian Internet Users to MyCERT
Scam activities and fraud continuously prevail within the community, targeting various citizens, from students to professionals. It has become a preferred method of criminals as awareness is still lacking among the public, making them an easier target. A total of 1,289 fraud incidents were handled this quarter, representing a decrease of 7% compared to Q2 2022. All the incidents were received from organisations and individuals. The top fraud incidents reported to MyCERT are as below:
·      Phishing
·      Impersonation and Spoofing         
·      Fraudulent  website
·      Job scam         
·      Bogus email           
·      Business email compromise (BEC)

Based on a report by News Strait Times on 14 March 2022, online scammers managed to gain RM1.6 billion from over 51,631 incidences reported between 2019 and 2021. Therefore, Internet users and organisations must be vigilant when conducting online transactions or performing e-commerce transactions to avoid becoming victims of online fraud.
 
2.2 Top Malware Infection in Malaysia
The second most reported incident in this quarter is spam. Most of the spam incidents received from spam feeds include spam relays subcategories. The third top incidents are malicious code. This includes malware hosting, ransomware, malicious APK, backdoor and trojans. Among these incidents, the top reported malware incident is related to malicious APK. This type of incident is typically received from banking users that directly report to local financial institutions. Users must be vigilant and keep systems up to date with the latest patches and security measures to prevent unwanted incidents especially related to mobile phone security. The second top-reported incident within the malware category is malware hosting. This category of malware-hosting on vulnerable servers with IP addresses originates from Malaysia. These incidents usually are received from foreign entities, such as Anti-virus vendors and Special Interest Groups. System Administrators must be vigilant and always keep systems up-to-date with the latest patches and security measures to prevent unwanted incidents.
 
Nevertheless, ransomware incidents decreased in Q3 2022 compared to the previous quarter. Ransomware is malicious software (malware) that infects a computer and restricts access until the requested ransom is paid. Our finding identified that Ransomware incidents frequently occur among business organisations, and the incidents are mostly reported by commercial businesses, consistent with Verizon 2022 DBIR report that organisations, including businesses, are most impacted by ransomware across the globe. It is also considered the costliest attack among other threats, involving the cost of recovering the whole data and rectifying infected machines.
Below we list down the top malware that infected computers belonging to individuals and organisations in Malaysia, as reported to MyCERT:
·      avalanche-andromeda 
·      dltminer
·      sinkhole
·      downadup
·      m0yv
·      sality
·      android.hummer
·      sality-p2p
·      js.worm.bondat
·      necurs
·      lethic
Good backup management and cyber security awareness are essential in combating ransomware and other types of malware. The backup procedure, policy and best practices need to be implemented by everyone. Providing awareness campaigns to ensure users are up to date with the latest cyber threat landscapes and conducting organization-level tabletop exercises to challenge user understanding are among the best efforts to improve an organisation’s cybersecurity.
 
3.0  Security Advisories and Alerts Released in Q3 2022
In Q3 2022, MyCERT issued 17 advisories and nine alerts involving Mozilla, Microsoft, Apple, VMware security updates, etc. The alert and advisory come with descriptions, recommendations, and references. Highlights of advisories and warnings for this quarter are:
1. MA-843.072022: MyCERT Alert - Security Best Practices on Safe Online Transaction and Safeguarding Banking Information
URL: https://www.mycert.org.my/portal/advisory?id=MA-843.072022
2. MA-842.072022: MyCERT Alert - Amalan Terbaik Keselamatan Mengenai Pelanggaran Data
URL: https://www.mycert.org.my/portal/advisory?id=MA-842.072022
3. MA-845.072022: MyCERT Alert - Large-scale Phishing Campaign Bypasses MFA
URL: https://www.mycert.org.my/portal/advisory?id=MA-845.072022
4. MA-846.072022: MyCERT Alert - Alert on Fake Winning Contest Shopee
URL: https://www.mycert.org.my/portal/advisory?id=MA-846.072022
5. MA-847.082022: MyCERT Alert - Peraduan Menang Palsu Shopee 
URL: https://www.mycert.org.my/portal/advisory?id=MA-847.082022
6. MA-848.082022: MyCERT Alert - Merdeka Day Best Practices Alert
URL: https://www.mycert.org.my/portal/advisory?id=MA-835.052022
7. MA-849.082022: MyCERT Alert - Security updates available for Google Chrome (CVE-2022-2856)
URL: https://www.mycert.org.my/portal/advisory?id=MA-849.082022
8. MA-858.092022: MyCERT Alert - IOCs and TTP Associated with Vice Society Actors 
URL: https://www.mycert.org.my/portal/advisory?id=MA-858.092022
9. MA-862.092022: MyCERT Alert - MyPetronas Malicious Application
URL : https://www.mycert.org.my/portal/advisory?id=MA-862.092022
10. MA-865.092022: MyCERT Advisory - Whatsapp Security Advisories for CVE 2022-36934 and CVE-2022-27492
URL : https://www.mycert.org.my/portal/advisory?id=MA-865.092022
 
Internet users and organisations may refer to the following URL for other advisories and alerts released by MyCERT: 
https://www.mycert.org.my/portal/advisories?id=431fab9c-d24c-4a27-ba93-e92edafdefa5
 
4.0 Conclusion
Overall, the number of computer security incidents reported to MyCERT. This quarter shows a slight upward trend compared to the previous quarter, with a 13% increase. Though this is a tiny percentage, organisations and individuals must not assume that our cyberspace is now secured but must always ensure readiness and preparedness against potential threats out there. Furthermore, there was no significant or severe incident observed in this quarter. Nevertheless, users and organisations must be constantly vigilant of the latest computer security threats and are always advised to take measures to protect their systems and networks from these threats. Hence, MyCERT strongly recommends that all internet users be constantly aware of today's cybercrime trends and adhere to the best cyber hygiene practices. This also includes secure handling emails from unknown sources, secure web browsing, purchasing goods online, and using social media applications. Always check the legibility of the applications, portal, merchants, services, and products before conducting any online transaction. However, as the complexity of cyber threats continues to increase, without proper awareness, organisations and individuals could be potential statistics of reported incidents.
 
Malaysian Internet users and organisations may contact MyCERT for assistance at the below contact:
E-mail: cyber999[at]cybersecurity.my 
Phone: 1-300-88-2999 (monitored during business hours) 
Mobile: +60 19 2665850 (24x7 call incident reporting)  
Business Hours: Mon - Fri 09:00 -18:00 MYT 
Web: https://www.mycert.org.my 
Twitter: https://twitter.com/mycert 
Facebook: https://www.facebook.com/mycert.org.my
 

1.0 Introduction

MyCERT has observed an increase in ransomware-related attacks, including attacks executed by well-identified ransomware known as LockBit 3.0. Notably, a number of organisations in Malaysia were hit by the LockBit 3.0 ransomware in 2022. 

LockBit 3.0 operates as an affiliate-based Ransomware-as-a-Service (RaaS) and employs a wide variety of tactics, techniques, and procedures (TTP), creating significant challenges for defence and mitigation. LockBit 3.0 ransomware compromises victim networks through a variety of techniques, including, but not limited to, purchased access, unpatched vulnerabilities, insider access, and zero-day exploits.

Prior to the LockBit 3.0, attackers began their operations in September 2019 as ABCD ransomware and then changed its name to Lockbit. The attackers made improvements and came back with even better ransomware on June 2021, known as Lockbit 2.0. We have seen that the Lockbit 2.0 ransomware introduced new features such as shadow copy and log file deletion to make a recovery harder for the victims. In addition, Lockbit 2.0 has the fastest encryption speed among the most popular ransomware, with around 25 thousand files that can be encrypted in below one minute. Beginning July 2022, it is known as LockBit 3.0 or LockBit Black.

The attackers associated with the Lockbit 3.0 is believed to originate from Russia. According to a detailed analysis, the ransomware checks the default system language avoids encryption and stops the attack if the victim system’s language is Russian or one of the countries nearby Russia.

2.0 Impact

The impacts of LockBit 3.0 are:

• Operations disruption with essential functions coming to a sudden halt.
• Extortion by the hackers for financial gain.
• Data theft and illegal publication as blackmail if the victim does not comply. 

3.0 Indicators of Compromise

LockBit 3.0 ransomware is considered by many authorities to be part of the “LockerGoga & MegaCortex” malware family. This means that it shares behaviours with these established forms of targeted ransomware. As a quick explanation, we understand that these attacks are:

• Self-spreading within an organization rather than requiring manual direction.
• Targeted rather than spread in a scattershot fashion like spam malware.
• Using similar tools to spread, like Windows Powershell and Server Message Block (SMB).

Significantly, it is able to self-propagate, meaning it spreads on its own. In its programming, LockBit 3.0 is directed by pre-designed automated processes. This makes it unique from many other ransomware attacks, driven by manually residing in the network — sometimes for weeks — to complete recon and surveillance.

After the attacker manually infects a single host, it can find other accessible hosts, connect them to infected ones, and share the infection using a script. This is completed and repeated entirely without human intervention.

Furthermore, it uses tools in patterns native to nearly all Windows computer systems. Endpoint security systems have a hard time flagging malicious activity. It also hides the executable encrypting file by disguising it as the common PNG image file format, further deceiving system defences.

The indicators of compromise (IOCs) and malware characteristics outlined below were derived
from field analysis, and the following samples are as of February 2022.

MD5

• 7fb11398c5be61445bee1efa7c9caa31
• 03b14473eef5b7e38d9a5041c1af0a76
• 628e4a77536859ffc2853005924db2ef

SHA-256

• f9b9d45339db9164a3861bf61758b7f41e6bcfb5bc93404e296e2918e52ccc10
• a56b41a6023f828cccaaef470874571d169fdb8f683a75edd430fbd31a2c3f6e
• d61af007f6c792b8fb6c677143b7d0e2533394e28c50737588e40da475c040ee

SHA-1

• ced1c9fabfe7e187dd809e77c9ca28ea2e165fa8
• 371353e9564c58ae4722a03205ac84ab34383d8c
• c2a321b6078acfab582a195c3eaf3fe05e095ce0

4.0 Recommendations
MyCERT recommends network defenders apply the following mitigations to reduce the risk of
compromise by LockBit 3.0 ransomware:

1) Require all accounts with password logins (e.g., service accounts, admin accounts, and
domain admin accounts) to have strong, unique passwords. Passwords should not be
reused across multiple accounts or stored on the system where an adversary may have
access. Note: Devices with local administrative accounts should implement a password
policy requiring strong, unique passwords for each administrative
account.

2) Require multi-factor authentication for all services to the extent possible, particularly
for webmail, virtual private networks, and accounts that access critical systems.

3) Keep all operating systems and software up to date. Prioritize patching known
exploited vulnerabilities. Timely patching is one of the most efficient and cost-effective
steps an organization can take to minimize its exposure to cybersecurity threats.

4) Remove unnecessary access to administrative shares, especially ADMIN$ and C$. If
ADMIN$ and C$ are deemed operationally necessary, and these restrict privileges to only the
necessary service or user accounts and perform continuous monitoring for anomalous
activity.

5) Use a host-based firewall to only allow connections to administrative shares via server
message block (SMB) from a limited set of administrator machines.

6) Enable protected files in the Windows Operating System to prevent unauthorized
changes to critical files.
 

Generally, MyCERT advises the users of these devices to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.

For further enquiries, please get in touch with MyCERT through the following channels:

E-mail: cyber999[at]cybersecurity.my 
Phone: 1-300-88-2999 (monitored during business hours) 
Mobile: +60 19 2665850 (24x7 call incident reporting) 
Business Hours: Mon - Fri 09:00 -18:00 MYT 
Web: https://www.mycert.org.my 
Twitter: https://twitter.com/mycert 
Facebook: https://www.facebook.com/mycert.org.my

5.0    References

• https://www.ic3.gov/Media/News/2022/220204.pdf
• https://socradar.io/lockbit-3-another-upgrade-to-worlds-most-active-ransomware/
• https://blogs.vmware.com/security/2022/10/lockbit-3-0-also-known-as-lockbit-black.html
• https://www.rewterz.com/rewterz-news/rewterz-threat-alert-lockbit-3-0-ransomware-active-iocs-2
• https://www.kaspersky.com/resource-center/threats/lockbit-ransomware

1.0 Introduction

Recently, MyCERT was informed of an APT attack that targeted several countries in the APAC region, particularly in the South East Asia region. The activity is possibly linked to the Threat Actor (TA), Dark Pink, the name given by Group-IB, generally associated with APT attacks. However, at the present, Group-IB cannot attribute the campaign to any known threat actor, making it highly likely that Dark Pink is an entirely new APT group. The name Dark Pink was coined based on some of the email addresses used by the threat actors during data exfiltration. The APT group has also been termed Saaiwc Group by Chinese cybersecurity researchers. 

Dark Pink launched seven successful attacks against high-profile targets between June and December 2022. The victims are located in five APAC countries, namely Vietnam, Malaysia, Indonesia, Cambodia, Philippines and a European country, Bosnia and Herzegovina). Victims included military bodies, government and development agencies, religious organisations, and non-profit organisations. For instance, one unsuccessful attack was launched against a European state development agency based in Vietnam in October 2022. The Dark Pink APT timeline and targets are shown in Figure 1.



Figure 1 - Dark Pink APT timeline and targets

2.0 Impact
A successful attack will lead to corporate espionage, stealing or capturing documents, capturing the sound from infected devices' microphones, and exfiltrating messengers' data.

3.0 Techniques, Tactics and Procedures (TTP)

3.1 - Initial access

Dark Pink used spear-phishing emails to gain initial access to victims' machines. Group-IB found the original email sent by the threat actors to victims, in which the threat actor disguised himself as a job applicant applying for the PR and Communications internship position in a potential victim's organisation. In the email, the threat actor mentions that the vacancy was found on a jobseeker site, which could suggest that the threat actors scanned through job recruitment advertisements on the Internet and used this information to create spear phishing emails.

The particular email contains a shortened URL linking to a free-to-use file-sharing site. The victim is presented with the option to download an optical disk image or the ISO image containing files belonging to the TA that are used to infect the victim’s network. During the investigation into Dark Pink, it was discovered that the threat actors leveraged several different ISO images. Notably, some of the documents contained in these ISO images varied from case to case. According to the information available, it is strongly believed that the Dark Pink TA crafted a unique email to each victim. The threat actors can send the malicious ISO image as a direct attachment to the victim via email.

Figure 2 - Screenshot of original spear-phishing email sent by Dark Pink APT noting the storage of the ISO image on a file-sharing site.

The ISO images sent in the spear-phishing emails contained varying numbers of files. Three types of files are found in all of the ISO images sent by the threat actors: a signed executable file, a nonmalicious decoy document (e.g. .doc, .pdf, or .jpg), and a malicious DLL file. Since the spear phishing email is about a job application, it is assumed that the victim will first look for the supposed applicant’s resume, which is often sent as an MS Word document. However, In Dark Pink attacks, the threat actors include a .exe file in the ISO image that mimics an MS Word file. The file contains “.doc” in the file name and the MS Word icon to confuse the victim and make them think the file is safe to open.

Figure 3 - Screenshot detailing the five files contained in one ISO image seen by Group-IB. Note that the .doc and .dll files are in hidden view.

Should the victim execute the .exe file first, the malicious DLL file, located in the same folder as the .exe file, will run automatically. This is a technique used by threat actors known as DLL Side-Loading. The primary function of the DLL execution is to ensure that the threat actors’ core malware, TelePowerBot, gains persistence. Before the completion of the file execution, the decoy document (e.g. a letter, resume) is shown on the victim’s screen.

3.2 – Trojan execution and persistence

One of the discoveries is the process of how TelePowerBot or KamiKakaBot are launched on the victim’s machine. The malicious DLL file containing one of the above two malware can be located inside the ISO image sent during spear-phishing campaigns. In one instance, the threat actors used a chain of MS Office documents and leveraged Template Injection, whereby the threat actors inserted into the initial document a link to a template document that contains a malicious macro code. In two other cases examined by Group-IB researchers, the threat actors behind Dark Pink launched their malware by the DLL Side-Loading technique. In total, three different kill chains are leveraged by the threat actors, as detailed below.

3.2.1 - Kill Chain 1: All-inclusive ISO

The first variant of the infection chain results in an ISO image being sent to the victim through spear-phishing emails. This ISO image includes a malicious DLL file, which contains TelePowerDropper (the name given by Group-IB). The primary goal of this DLL file is to gain persistence for TelePowerBot in the registry of the infected machine. Sometimes, the DLL file can also launch the threat actors’ proprietary stealers (Ctealer or Cucky), which parses data from browsers on the victim’s machine and store it in a local folder. It is important to note that launching any kind of stealer is optional during initial access. Dark Pink can send special commands to download and launch a stealer during all phases of the Sometimes, the DLL file can also launch the threat actors’ proprietary stealers (Ctealer or Cucky), which parses data from browsers on the victim’s machine and stores attack.

Figure 4 - Graphic detailing the full scheme of Kill Chain 1

.