CYFIRMA, a Singapore-based external threat landscape and cyber-intelligence platform company, launched its external threat visibility platform services for businesses in the Philippines. CYFIRMA combines cyber intelligence with attack surface discovery and digital risk protection to deliver early warning, personalized, contextual, and multi-layered insights to its clients. Companies can now prepare against today’s advanced digital landscape’s evolving and emerging cyber threats.
Kumar Ritesh, founder, and CEO of CYFIRMA says: “Evolution of cybercrime and geopolitical events can have a far-reaching ripple effect on government, businesses, and individuals. This is prevalent and can be witnessed in the ongoing Russia-Ukraine conflict, where cyberattacks are being deployed to tarnish government agencies and commercial industries. For the first time, we noticed both pro and anti-Russian hacking groups becoming highly vocal in support of their respective causes, including self-proclaimed hacktivist groups such as ‘Anonymous’ who have launched attacks against the Russian establishment. Cyberwar is being waged across all fronts and we need to operate with heightened alert as geopolitics and the cyber world collide.”
“Also, the Philippines is an emerging digital economy in the ASEAN region. But the adoption of digitalization in a bid to recover from the pandemic meant cybersecurity was put on a backburner. To successfully mitigate emerging cyberthreats and digital risks, businesses need visibility into their external threat landscape. By constantly monitoring their cyber adversaries’ strengths and weaknesses as well as their vulnerabilities, businesses can build effective strategies to avoid the financial and reputation repercussions of cyberattacks.”
The threat landscape in the Philippines
According to Interpol’s ASEAN Cyber Threat Assessment 2021, the average internet penetration rate in the Philippines is 67% and users in the country spend the most amount of time per day on the Internet: between nine and 10 hours.
With the Philippines seeing exponential growth in the digital technology sector, particularly financial technology and e-commerce, there is an increasing demand for Internet and broadband services. With such explosive growth and the still untapped vast potential market opportunity, the region is considered to be one of the most competitive markets in the world, where global investors dominate.
However, this increasing dependence on the Internet has opened doors of opportunities for one more thing – cybersecurity threats. It impedes trust and resilience in the digital economy, which will prevent the country from realizing its full digital potential if nothing is done and can cause severe damage in the long run.
According to Statista, a company that specializes in market and consumer data, the number of cyberattacks in the Philippines has exponentially grown during the first quarter of the year, reaching as much as around 1.76 million. Whereas it remains at a low ranking of 82nd when it comes to cybersecurity readiness, according to a global security index.
Cyber threats to keep an eye on
Ransomware activities: The Philippines ranks as the 4th most targeted ASEAN country by ransomware attackers. Ransomware groups are improving their tactics and no longer depend on any attack vector or attack method but combine different approaches. Healthcare, government agencies, banks, manufacturing, retail, IT service providers, and e-commerce platforms are likely to be on their radar. Apart from this, ransomware using IoT as entry points, targeting third-party and supply chain software, along with a focus on operational technology (OT) is going to be an area of particular interest for ransomware operators in the year ahead.
Kinetic cyberattacks: Geopolitical tensions, commercial competition, and socio-economic differences have triggered kinetic cyberattacks resulting in physical damage and loss of lives. One of the prime examples of this is the current cyber war between Ukraine and Russia. The Kremlin-leaning Belarus also had to face the wrath of the so-called Belarusian Cyber-Partisans’ hacktivists.’ They took down 90% of the network routing equipment, including all core devices. This caused the entire network to go offline, and most of the equipment was rendered unrecoverable, causing massive delays and failure of the entire railway system. This is a worrying trend that can be taken up by other state-sponsored actors too.
Phishing with deep fake attacks: Phishing is not a new cyber threat, nor is it decreasing. Instead, it is considered the most prevalent cyber threat for stealing credentials and has been pivoting towards other forms of cybercrime, such as data breaches. As per Interpol’s analysis in the ASEAN Cyberthreat Assessment 2021 report, SaaS and webmail sites remained the biggest targets for phishing, with more than 35% of all attacks. According to CYFIRMA’s researchers, the phishing trend will continue this year and likely leverage the increased use of deep fake technology.
DDoS attacks: Since 2019, DDoS activities have seen a significant uptick, according to CYFIRMA’s research. With Mirai Botnet now known to even exploit the ‘Spring4Shell’ vulnerability, especially in vulnerable servers from Singapore and other ASEAN countries, the threat of botnets and brute-force attacks will see an escalation in this region.
State-sponsored geopolitical threats: Nations would further collaborate, join forces, and share resources to target a common enemy. More state-sponsored cybercriminals will participate in corporate espionage in support of the national plan to create a competitive advantage for local businesses.
SMEs under attack: Small and medium enterprises’ lack of cybersecurity maturity has always made them easy targets for cyber-criminals. In 2022, hacking groups’ interest in this segment will escalate as they seek to profit quickly from underground activities.
Active threat actors to look-out
Lazarus Group: One of the most active nation-state threat actors from North Korea is believed to be working with the North Korean government and DPRK military intelligence. The threat group has evolved and enhanced its Tactics, Techniques, and Procedures or TTPs which include Botnet Usage, Commodity malware as Launchpad, Custom Command and Control Protocol and Ports, DLL Malware, Direct IP Access, Fake Applications, Obfuscation, Open Proxy Usage, Service creation for persistence, Collaboration with Other Nations-sponsored Threat Actors, macOS and Linux Malware. The threat group has been observed developing new malware such as VSingle, BLINDINGCAN, TAINTEDSCRIBE, MATA Framework, KEYMARBLE, HOTCROISSANT, NukeSped RAT, HOPLIGHT, BADCALL, COPPERHEDGE, FallChill RAT, Vyveva, etc. We have observed the threat group offering its services: Hacker-as-a-Service (HaaS) model to other nation threat groups wherein Lazarus Group infiltrates sensitive details for the other groups in exchange for financial benefits. The threat group has also been observed predominantly targeting Financial, Cryptocurrency, and Manufacturing (involving critical infrastructure, aerospace, and defense) industries to exfiltrate sensitive information and have the necessary funds to develop arms for strengthening the nation’s military capabilities.
FIN11: The Russian cybercriminal group is one of the most active ones and has recently focused its operations on ransomware and extortion. The techniques used by FIN11 include Anonymous domain registration, Code signing certificates, Private or semi-private malware, Spear-phishing attacks, malware implants, and lateral movement in the network. The malware and ransomware used by the group include Dewmode, Vidar, Azorult, BARBWIRE, FORKBEARD, Amadey, Clop ransomware, and Conti/Ryuk ransomware, etc. FIN11 cybercriminals are believed to share the target infrastructure with another Russian Cybercriminal group known as TA505 or Evil Corp. In the past year, we have observed FIN11 carrying out at least 19 out of 70 (27%) CYFIRMA tracked campaigns targeting multiple industries across geographies. FIN11 has been observed expanding its attack surface to other geographies in Asia-Pacific, the Middle East targeting organizations and collaborating with other nation threat actors under Ransomware-as-a-Service (RaaS) model.
FIN12: One of the recently known Russian Cybercriminal groups which are financially motivated and active since October 2018. The threat group specializes in the post-compromise deployment of primarily Conti/Ryuk ransomware. Instead of conducting multifaceted extortion, FIN12 appears to prioritize speed and higher revenue victims. FIN12 has seemingly diversified its partnerships for initial access operations, particularly in 2021. The techniques used by FIN12 include access via remote login, Code signing certificates, phishing attacks, malware implants, Ransomware Deployment Scripts, and Initial Access. FIN12 has been observed to leverage tried and tested malware such as Cobalt Strike, Trickbot, Conti/Ryuk Ransomware, Bazarloader, GRUNT Backdoor, Anchor Backdoor, GRIMAGENT Backdoor for potentially carrying out reconnaissance activities before implementing the actual attacks on the target organization. Like other Russian threat groups, FIN12 primarily targets organizations in North America. It is now suspected of expanding its attack surface in Europe and the Asia Pacific.
LockBit 2.0 Ransomware: LockBit 2.0 operates as an affiliate-based Ransomware-as-a-Service (RaaS) and employs a wide variety of TTPs, creating significant challenges for defense and mitigation. This group compromises victim networks through a variety of techniques, including, but not limited to, purchased access, unpatched vulnerabilities, insider access, and zero-day exploits. After compromising a victim network, LockBit 2.0 actors use publicly available tools such as Mimikatz to escalate privileges. The threat actors then use publicly available and custom tools to exfiltrate data, followed by encryption using the LockBit malware. The group’s extortion tactics include threats to leak exfiltrated victim data on the LockBit 2.0 leak site. Its affiliate-based model means cybercriminals with lesser technical knowledge can also deploy this ransomware to target businesses across various markets including emerging nations like the Philippines.
Conti Ransomware: Conti is often claimed to be a Russian state-sponsored operator and this was evident when Conti openly warned those conducting offensive cyber operations against Russia. Owing to this and the military invasion of Russia, a Ukrainian cybersecurity researcher released 13 months of sensitive data that came from the internal systems of the Conti ransomware gang. However, this was only a small glitch and Conti then went on to add the Trickbot malware under its arsenal. Affiliates of the Conti operation have been behind a significant number of recent attacks and with Conti appearing to recruit many of their former affiliates their operations are further estimated to surge in 2022 and beyond.
Lapsus$ Group: Probably the newest yet the most menacing group of recent times is the Lapsus$ group. The group has claimed to have compromised and posted the source code of Microsoft, Samsung, Nvidia, and – the latest – Okta – in three months. Classified as an extortion actor, Lapsus$ breaches corporate networks exfiltrate sensitive data and demands a ransom (although the group rejects it as false acquisition) in return for not leaking the information online. The group also operates a Telegram channel to reveal its victims’ names. Lapsus$ has also claimed to engage in data wiping activities against its targets.
Although the London City Police arrested a couple of teens who are allegedly behind the group’s operations, Lapsus$ recently posted that they were back from a vacation on its Telegram channel. These are ominous signs because, based on the group’s history, it does not target companies or businesses of a particular region but has a global outreach, and everyone, including ASEAN technology companies, is constantly going to be on their radar.
To counter these threats and threat actors CYFIRMA’s researchers have developed a proprietary cloud-based threat discovery and cyber-intelligence platform DeCYFIR and DeTECT that helps businesses dive into the hackers’ trenches to analyze and correlate information and discover the deepest insights from that data.
DeCYFIR’s ability to combine cyber intelligence with attack surface discovery, vulnerability detection, brand intelligence, situational awareness, and protection against digital risk – all on a single pane of glass – sets the company apart from other cybersecurity and cyber-intelligence products. The platform automatically connects the dots between threat actors, motives, campaigns, and methods to help clients predict cyberattacks targeting them.
DeTCT is the cutting-edge digital risk protection platform helping customers identify and monitor for vulnerabilities and potential attack vectors, develop an awareness of data leaks and breaches as well as the risks posed by third parties. Clients also subscribe to DeTCT to protect their brand and reputation by detecting copyright infringement and identity theft.