Rewterz Threat Update – Cyber Threat Intelligence Advisory – 23rd March Pakistan Day

Analysis Summary

Overview – 23rd Mar – A Big Day – 

As we approach the 23rd of March, Pakistan Day, organizations and individuals should be aware of potential cyber threats that may arise during this period. This advisory aims to provide an overview of potential risks and actionable steps to mitigate them.

Threats Overview

During national events and holidays, threat actors may leverage the increased online activity to carry out targeted or opportunistic cyber attacks. These attacks may include phishing campaigns, ransomware, DDoS attacks, and social engineering tactics. In the context of Pakistan, various nation-state and cybercriminal groups have been known to target the country, posing a significant risk to organizations and individuals.

Specific Threat Actors Targeting Pakistan

• Donot APT Group: This group, also known as APT-C-35, has been known to target Pakistan in the past. They primarily focus on cyber espionage and have targeted government institutions and the military sector.
• Sidewinder: Sidewinder is an APT group that has conducted cyber attacks against military and government organizations in Pakistan. They use sophisticated techniques, such as custom malware, to infiltrate networks and gather intelligence.
• APT40: APT40, a China-linked APT group, has been known to target Pakistan and other countries. They typically focus on cyber espionage, targeting government organizations, critical infrastructure, and private sector companies for strategic purposes.
• Iranian Groups: Various Iranian cyber threat actors, including APT groups, have conducted attacks against Pakistan. They may target government and military organizations for espionage or launch disruptive cyberattacks.
• Indian Hacktivists: Hacktivist groups from India may target Pakistan during national events to promote political agendas or cause disruptions. These attacks can include website defacements, data leaks, and DDoS attacks.

Previous Threat Scenarios

• Threat actors has a history of attacking Pakistani government officials and military personnel and has been linked to India. They previously targeted Pakistani users with android malware named (StealJob) was used to target Pakistani android mobile users by Phishing on the name of “Kashmiri Voice” The attackers hunt for confidential information and intellectual property. 
• Pakistani government officials were also targeted with a decoy file related to NTC (National Telecom Corporation) previously. They employ custom implementations to attack existing vulnerabilities and then deploy a Powershell payload in the final stages to distribute the malware. The group was also detected employing credential phishing sites that were copied from their victims’ webmail login pages.
• Previously, an APT group was observed using mobile malware to infiltrate its victims before it used desktop malware. Android surveillanceware tools like SubBird, ChatSpy, and Hornbill have been used by the group to spy on the victims. Pakistan’s military officials, nuclear authorities, and Indian officials located in Kashmir have also been the chief targets of the threat actors. 

Possible Threat Scenarios For 23rd March

• Cyber criminals can target Pakistan on their big day 23rd March by launching large scale distributed denial of service (DDoS) attacks. Government websites may be susceptible to DDoS attacks in order to bring them down temporarily, while communications networks can suffer from content-oriented exploits designed to disrupt traffic. 
• Cyber criminals can also exploit any known vulnerabilities in websites hosted within the network infrastructure to gain unauthorized access and hijack databases containing sensitive customer information. 
• Additionally, malicious actors could distribute malware through phishing emails sent out luring unsuspecting victims into downloading malicious attachments meant to infect their devices. 
• Phishing emails can target Pakistani sectors on 23rd March, Pakistan Resolution Day by exploiting the patriotic sentiment and nationalistic fervor associated with the day. Attackers can use various tactics to make their phishing emails seem more legitimate. For example, they may use the colors of the Pakistani flag or images of national monuments and landmarks to make the email appear more official. They may also use subject lines that relate to the day’s significance, such as “Celebrate Pakistan Resolution Day” with exclusive offers or some type of reward scams.
• Additionally, critical infrastructure such as power grids may be vulnerable since most of it is still controlled by outdated technology that lacks modern security protocols.
• Web Defacement – Defacing a website means changing its appearance without any authentication to do so. In a website defacement attack, the hacker either inserts inappropriate copy, or images on a legit website or shut the website down entirely, making it non-functional. Threat actors can typically access a website’s hosting environment and make changes in important assets like public_html directory, SQL databases, or WordPress’s admin account. Attackers get such unauthorized access by exploiting security vulnerabilities using techniques such as SQL injections, brute force attacks, credential leakage, cross-site scripting (XSS), malware insertion, etc.

Exploit-in-the-wild vulnerabilities

• CVE-2023-21715 (Microsoft Publisher)
• CVE-2023-23376 (Microsoft Windows Common Log File System Driver)
• CVE-2023-21823 (Microsoft Windows Graphics Component)
• CVE-2022-30190 (Follina Vulnerability (MSTD))
• CVE-2022-41033 (Microsoft Windows COM+ Event System Service)
• CVE-2022-41352 (Zimbra Collaboration (ZCS))
• CVE-2022-41040 and CVE-2022-41082 (Microsoft Exchange Server)
• CVE-2017-12240 and CVE-2018-0171 (Cisco IOS and Cisco IOS XE)
• CVE-2018-0125 (Cisco RV132W Routers)
• CVE-2018-0147 (Cisco Secure Access Control System)
• CVE-2021-1497 (Cisco HyperFlex)

Possible impact

• Service Disruption
• Reputational Damage
• Information Theft and Espionage
• Exposure of Sensitive Data
• Exfiltration Of Data
• Information Loss
• Unauthorized Access
• Financial Loss
• File Encryption

Conclusion

By staying vigilant and implementing proactive security measures, organizations and individuals can reduce the likelihood of falling victim to cyber threats during Pakistan Day celebrations. Understanding the specific threat landscape in Pakistan, including threat actors like Donot APT group, Sidewinder, APT40, Iranian groups, and Indian hacktivists, is crucial to mitigating potential risks. Encourage a culture of cybersecurity awareness and foster a safe online environment for all.

General Recommendations

• Passwords – Ensure that general security policies are employed including: implementing strong passwords, correct configurations, and proper administration security policies. Do not use the same password for multiple platforms, servers, or networks.
• Admin Access – limit access to administrative accounts and portals to only relevant personnel and make sure they are not publicly accessible.
• WAF – Web defacement must be stopped at the web application level. Therefore, set up a Web Application Firewall with rules to block suspicious and malicious requests.
• Patch – Patch and upgrade any platforms and software timely and make it into a standard security policy. Prioritize patching known exploited vulnerabilities and zero-days related to web servers and web application servers.
• Secure Coding – Along with network and system hardening, code hardening should be implemented within the organization so that their websites and software are secure. Use testing tools to detect any vulnerabilities in the deployed codes.
• 2FA – Enable two-factor authentication.
• Antivirus – Enable antivirus and anti-malware software and update signature definitions in a timely manner. Using a multi-layered protection is necessary to secure vulnerable assets
• Employee Training – Employees should be well-versed in social engineering tactics and threats, and how to defend against them. Seminars, training, and employee orientations of cybersecurity best policies and threats is crucial. 
• Security Best Practices – Do not open emails and attachments from unknown or suspicious sources.
• Use a Content Delivery Network: A CDN can distribute traffic across multiple servers, which can help to absorb the impact of a DDoS attack.
• Implement rate-limiting: Rate-limiting can help to limit the amount of traffic that is allowed to enter the system, reducing the impact of a DDoS attack.
• Maintain Offline Backups – In a ransomware attack, the adversary will often delete or encrypt backups if they have access to them. That’s why it’s important to keep offline (preferably off-site), encrypted backups of data and test them regularly.
• Enforced Access Management Policies
• Terminate all accounts associated with an employee or contractor immediately upon dismissal.
• Restrict installation of untrusted 3rd Party application
• Maintain daily backups of all computer networks and servers.

Rewterz offers a variety of data protection and recovery solutions that ensure your organization’s data recovery from destructive cyberattacks.