A Glimpse into Cybersecurity Excellence
In the ever-evolving landscape of cybersecurity, staying ahead of emerging threats and understanding the intricacies of sophisticated threat actors is paramount. This year, at the highly respected Virus Bulletin 2023 conference, NTT Security Holdings skilled SOC teams have earned the privilege of presenting two(!) compelling insights into the world of cyber threats. Virus Bulletin is renowned for its role in advancing the field of cybersecurity by facilitating the exchange of knowledge, research, and expertise.
Magniber’s Missteps: Because Even Spiders Trip Over Their Own Web
By Amata Anantaprayoon & Patrik Olson (NTT Security Holdings)
The Magniber ransomware group, which emerged in 2017, has been a significant player in the cybercrime world. Our investigation indicate that they’ve amassed substantial profits, totaling around GBP 370.000 , over the past eight months. In the presentation, Amata and Patrik will shed light on the intriguing missteps of Magniber, revealing a unique perspective on the group’s activities.
Highlights of the presentation:
• Who is Magniber?: An introduction to the Magniber ransomware group, providing context on their activities and evolution.
• Misconfigured Server Exposing PHP Script: Details on the discovery of a misconfigured server, exposing a PHP script used by Magniber to generate their ransomware locker. Insights into the script, including its anti-bot and filter capabilities.
• Misconfigured Critical Infrastructure: Exploration of exposed log servers within the Magniber infrastructure. Data analysis revealing the extent of their operations, including infected victims and earnings over the past eight months
• Exposed RSA Private Keys: An explanation of the significance of exposed RSA private keys and their role in the decryption process. A demonstration of how the Magniber locker encrypts files and how the private keys can be used for decryption, complete with a proof-of-concept.
• Summary: An easy-to-understand diagram illustrating the Magniber ransomware group’s infrastructure. Sharing of indicators of compromise (IOCs), RSA keys, and Bitcoin (BTC) addresses to enhance awareness and defense against Magniber and similar threats.
FirePeony: A Ghost Wandering Around the Royal Road
By Rintaro Koike & Shogo Hayashi (NTT Security Holdings)
FirePeony, also known as SharpPanda, is an Advanced Persistent Threat (APT) group that has been active since at least 2021. Initially focused on Southeast Asia, this China-nexus threat actor recently shifted its targets to government entities of G7 and G20 countries, raising eyebrows in the cybersecurity community.
Highlights of the presentation:
• Timeline of Previous Attacks: An overview of more than ten confirmed attack cases, dating back to 2021, providing insights into who was targeted and how.
• Shift in Targets: Examination of the significant shift in FirePeony’s targets, including attacks against government entities of major global powers. A comparison with other China-nexus APT groups, such as Mustang Panda.
• Malware Analysis: A deep dive into the malware employed by FirePeony, including 5.t Downloader, VictoryDll, and Soul Framework. An exploration of the links between FirePeony and other threat actors.
• Operational Errors: Insight into operational errors made by FirePeony, including server misconfigurations and exposure of log files. An analysis of these mistakes and their implications.
The information shared in these presentations promises to be invaluable for cybersecurity professionals and organizations. It equips them with the knowledge to defend against evolving threats and underscores the importance of ongoing research and vigilance in the cybersecurity field. These presentations not only showcase cutting-edge research but also serve as a testament to the commitment of our SOC teams in the ongoing battle against cyber threats.
Details about the Virus Bulletin 2023 can be found here: https://www.virusbulletin.com/conference/vb2023/