Updated as of 26 September 2023 1200hrs
The Situation
In response to high profile cyber attacks, Hong Kong authorities are mulling over introducing a law on cybersecurity and strengthening communications with overseas agencies, to step up legal regulatory measures to combat cybercrime.
Hong Kong has seen another cyber attack reported by its consumer watchdog, Consumer Council, on 22 Sep, two weeks after a leading digital business technology park, Cyberport, revealed on 7 Sep that it suffered a ransomware attack.
Hong Kong’s consumer watchdog Consumer Council revealed an investigation into a personal data leak in a press conference on 22 Sep.
For both attacks, the Hong Kong Office of the Privacy Commissioner for Personal Data (PCPD) had received data breach notifications from both Cyberport and Consumer Council, and commenced compliance checks into the incidents. Both organisations have been advised to notify the affected data subjects as soon as possible.
At the time of writing, the Consumer Council has sent out 25,000 data breach notifications to business contacts, staff and subscribers.
Cyberport Ransomware Attack
The ransomware group Trigona posted the data leak of Cyberport on the dark web. Leaked data included scans of Hong Kong identity card, financial statements, résumés belonging to Cyberport staff and tenants. Commercially sensitive information including lease agreements, receipts, audit reports, and correspondences with governments and vendors was also leaked.
Threat Profile of Trigona
Trigona is a relatively new strain of ransomware that has hit organisations increasingly in non-Western countries including Brazil, China and Argentina. The threat actor(s) deploying the ransomware employs a double extortion schedule. Reports indicated that the threat actor(s) achieved initial access via a combination of brute force attacks, purchasing previously compromised accounts by obtaining access from network access brokers (“IABs”), and exploitation of vulnerable public-facing applications.
Trigona’s operators have remained highly active and were in the top 20 out of the 43 ransomware groups which named victims on their respective data-leak sites. During the period of Q2 2023 (Apr – Jun), Trigona claimed 18 named victims on their site.
Number of victims named on top 20 ransomware data-leak sites
(Ref: ReliaQuest Quarterly Cyber-Threat Report : Ransomware & Data-Leak Extortion)
Recent reported activities
• By April 2023, Trigona began targeting compromised MSSQL servers by stealing credentials via brute force methods.
• In May 2023, researchers found a Linux version of Trigona that shared similarities with its Windows counterpart.
• In June 2023, Trend Micro encountered a new version of Trigona ransomware, this time designed for Windows 64-bit platforms. This version implements additional command-line arguments that were not present with the Linux version and the original 32-bit version.
• Trigona was found to be exploiting the ManageEngine vulnerability CVE-2021-40539 for initial access based on a report from Arete. In addition, the threat actors used previously compromised accounts by obtaining access from network access brokers. It uses a variety of tools for lateral movement, including Netscan and Splashtop (a legitimate remote access tool), which is used to drop further additional tools on a compromised machine.
• Trigona encrypts files in infected machines using AES encryption, and adds a “._locked” file extension to those encrypted files. Furthermore, the ransomware contains an encrypted configuration in its resource section which is decrypted upon execution.
Our Recommendations
To safeguard systems against ransomware attacks, it is important to implement data protection protocols and establish backup and recovery procedures to ensure that data remains secure and can be restored in case of encryption or deletion.
• Backup your data. Perform frequent backups of your system and data. The 3-2-1 backup strategy – encompassing redundancy, geographic distance and access where there are at least three copies of your data backed up, two local (on-site) but on different media / devices, and at least one copy off-site.
• Cybersecurity awareness training. To strengthen workforce awareness, regular, mandatory cybersecurity awareness training sessions will keep the workforce updated and informed about current cybersecurity threats.
• Keep systems and software updated. Ensure your applications and operating systems have been updated with the latest patches. Vulnerable applications and software are ready targets of most ransomware attacks.
• Restrict code execution. Where feasible, enforce access control for temporary or data folders to prevent code execution in order to limit spread of ransomware data encryption.
• Review permission-related practices. Removing local administrative rights can deter ransomware from running on a local system and prevent any changes to the local system resources that the ransomware may be targeting for encryption.
• Network controls such as firewalls should limit or block remote desktop protocol (RDP) and other remote management services which are known to be used to deploy ransomware.
In the event of a ransomware attack, consider the following immediate measures:
• Isolate / Shutdown your system. To prevent the spread of the ransomware, isolate or shut down the system believed to be infected.
• Block network access to any identified command-and-control (C2) servers used by the ransomware operators. Ransomware is often blocked from encrypting data without access to their C2 servers.
• Notify authorities. Consider informing authorities as appropriate.
• Seek help. Consider engaging a competent incident response team to help with the containment and investigation.
How Ensign can help
Ensign will continue to monitor the developing landscape in Hong Kong and keep you informed of any additional recommendations.
Ensign’s Digital Forensics and Incident Response service stands ready to aid in a possible incident or security breach. If you suspect an incident or are experiencing a breach, please contact us at marketing@ensigninfosecurity.com.
Engage experts from the Advisory and Cyber Strategy teams who can assess the cyber risk of your organization’s attack surface, and security architecture to identify measures to enhance cybersecurity resilience.
Indicators of Compromise
IoC | Type | Notes (if any) |
---|---|---|
f1e2a7f5fd6ee0c21928b1cae6e6672 4c4537052f8676feeaa18e84cf3c0c663 |
SHA-256 (File-based IOC) | Linux.TRIGONA |
951fad30e91adae94ded90c60b80d2965 4918f90e76b05491b014b8810269f74 |
SHA-256 (File-based IOC) | Linux.TRIGONA |
d0268d29e6d26d726adb848eff991754 486880ebfd7afffb3bb2a9e91a1dbb7c |
SHA-256 (File-based IOC) | Win64.TRIGONA |
a891d24823796a4ffa2fac76d92fec2c7 ffae1ac1c3665be0d4f85e13acd33f9 |
SHA-256 (File-based IOC) | Win64.TRIGONA |
2b40a804a6fc99f6643f8320d2668ebd 2544f34833701300e34960b048485357 |
SHA-256 (File-based IOC) | Win64.TRIGONA |
8cbe32f31befe7c4169f25614afd1778006e4 bda6c6091531bc7b4ff4bf62376 |
SHA-256 (File-based IOC) | Win32.TRIGONA |
fb128dbd4e945574a2795c2089340467fc f61bb3232cc0886df98d86ff328d1b |
SHA-256 (File-based IOC) | Win32.TRIGONA |
41c9080f9c90e00a431b2fb04b461584 abe68576996379a97469a71be42fc6ff |
SHA-256 (File-based IOC) | Win64.TRIGONA |
c7a930f1ca5670978aa6d323d16c03a97d 897c77f5cff68185c8393830a6083f |
SHA-256 (File-based IOC) | MSIL.TRIGONA |
bef87e4d9fcaed0d8b53bce84ff5c5a7 0a8a30542100ca6d7822cbc8b76fef13 |
SHA-256 (File-based IOC) | svhost.exe (Ransomware Binary) |
853909af98031c125a351dad80431 7c323599233e9b14b79ae03f9de572b014e |
SHA-256 (File-based IOC) | Splashtop |
24123421dd5b78b79abca07bf2dac68 3e574bf9463046a1d6f84d1177c55f5e5 |
SHA-256 (File-based IOC) | Netscan |
4724EE7274C31C8D418904EE7E600D9 2680A54FECDAC28606B1D73A28ECB0B1E |
SHA-256 (File-based IOC) | Netscan |
e22008893c91cf5bfe9f0f41e5c9cdafa e178c0558728e9dfabfc11c34769936 |
SHA-256 (File-based IOC) | Netscan |
8d069455c913b1b2047026ef290a6 64cef2a2e14cbf1c40dce6248bd31ab0067 |
SHA-256 (File-based IOC) | Netscan |
544a4621cba59f3cc2aeb3fe34c2ee4 522593377232cd9f78addfe537e988ddc |
SHA-256 (File-based IOC) | start.bat |
a15c7b264121a7c202c74184365ca13b56 1fb303fb8699299039a59ab376adc6 |
SHA-256 (File-based IOC) | turnoff.bat |
b7fba3abee8fd3bdac2d05c47ab75fd aa0796722451bed974fb72e442ab4fefd |
SHA-256 (File-based IOC) | newuser.bat |
e5cf252041045b037b9a358f5412ae004 423ad23eac17f3b03ebef7c8147a3bb |
SHA-256 (File-based IOC) | Mimikatz |
5603d4035201a9e6d0e130c561bd b91f44d8f21192c8e2842def4649333757ab |
SHA-256 (File-based IOC) | Mimikatz |
69f245dc5e505d2876e2f2eec87fa 565c707e7c391845fa8989c14acabc2d3f6 |
SHA-256 (File-based IOC) | Mimikatz |
248e7d2463bbfee6e3141b7e55fa87d73 eba50a7daa25bed40a03ee82e93d7db |
SHA-256 (File-based IOC) | |
596cf4cc2bbe87d5f19cca11561a93785 b6f0e8fa51989bf7db7619582f25864 |
SHA-256 (File-based IOC) | |
704f1655ce9127d7aab6d82660b48a12 7b5f00cadd7282acb03c440f21dae5e2 |
SHA-256 (File-based IOC) | |
859e62c87826a759dbff2594927ead2 b5fd23031b37b53233062f68549222311 |
SHA-256 (File-based IOC) | |
8f8d01131ef7a66fd220dc91388e3c219 88d975d54b6e69befd06ad7de9f6079 |
SHA-256 (File-based IOC) | |
97c79199c2f3f2edf2fdc8c59c8770e1c b8726e7e441da2c4162470a710b35f5 |
SHA-256 (File-based IOC) | |
a86ed15ca8d1da51ca14e55d12b4965 fb352b80e75d064df9413954f4e1be0a7 |
SHA-256 (File-based IOC) | |
accd5bcf57e8f9ef803079396f52595 5d2cfffbf5fe8279f744ee17a7c7b9aac |
SHA-256 (File-based IOC) | |
da32b322268455757a4ef22bdeb0 09c58eaca9717113f1597675c50e6a36960a |
SHA-256 (File-based IOC) | |
e7c9ec3048d3ea5b16dce31ec01fd 0f1a965f5ae1cbc1276d35e224831d307fc |
SHA-256 (File-based IOC) | |
e97de28072dd10cde0e778604762a a26ebcb4cef505000d95b4fb95872ad741b |
SHA-256 (File-based IOC) | |
f29b948905449f330d2e5070d767d0d ac4837d0b566eee28282dc78749083684 |
SHA-256 (File-based IOC) | |
fa6f869798d289ee7b70d00a649145b 01a93f425257c05394663ff48c7877b0d |
SHA-256 (File-based IOC) | |
fbba6f4fd457dec3e85be2a628e31378 dc8d395ae8a927b2dde40880701879f2 |
SHA-256 (File-based IOC) | DC2.exe |
94979b61bba5685d038b4d66dd5e4e 0ced1bba4c41ac253104a210dd517581b8 |
SHA-256 (File-based IOC) | DC4.exe |
9c8a4159166062333f2f74dd9d3489708 c35b824986b73697d5c34869b2f7853 |
SHA-256 (File-based IOC) | DC6.exe |
phandaledr@onionmail[.]org | Email Address | Ransom note contact email |
farusbig@tutanota[.]com | Email Address | Ransom note contact email |
how_to_decrypt.hta | File Name | Ransom note name |
3x55o3u2b7cjs54eifja5m3ottxnt lubhjzt6k6htp5nrocjmsxxh7ad[.]onion |
Trigona TOR data-leak site / negotiation portal | Trigona TOR negotiation portal |
45.227.253[.]99 | IP Address | IP address associated with Trigona activity |
45.227.253[.]106 | IP Address | IP address currently hosting Trigona leak site |
45.227.253[.]98 | IP Address | IP address associated with Trigona activity |
45.227.253[.]107 | IP Address | IP address associated with Trigona activity |
References
Consumer Council (Hong Kong) : 消委會黑客入侵|員工客戶資料7小時予取予攜 消委會:不交贖金 (hk01.com)
https://www.itsc.cuhk.edu.hk/user-trainings/information-security-best-practices/ransomware-trigona/
Office of the Privacy Commissioner for Personal Data (PCPD) – Media Statement for Data Breach Incident of Consumer Council https://www.pcpd.org.hk/english/news_events/media_statements/press_20230921.html)
Office of the Privacy Commissioner for Personal Data (PCPD) – Media Statement for Response on the Cyberport’s Data Breach Incident (https://www.pcpd.org.hk/english/news_events/media_statements/press_20230913b.html)
IOC
https://www.trendmicro.com/en_za/research/23/f/an-overview-of-the-trigona-ransomware.html
https://unit42.paloaltonetworks.com/trigona-ransomware-update/
https://www.fortinet.com/blog/threat-research/ransomware-roundup-trigona-ransomware