ALTDOS Group Wages Attacks in SingaporeAgencies Issue Advisory Offering Mitigation Advice
ALTDOS, an advanced persistent threat group, has recently targeted several organizations in Singapore by waging "double extortion" ransomware attacks in an attempt to gain ransom payments, local government authorities say.
In an advisory, the Cyber Security Agency of Singapore, the Personal Data Protection Commission of Singapore and the Singapore Police Force explain that the gang encrypts files and exfiltrates data. If a victim refuses to pay a ransom, information can be leaked online or sold to the highest bidder on the dark web.
Darktrace research reveals that prior to 2019, only one known threat actor, Maze Team APT group, used double extortion ransomware, but now over 16 ransomware groups actively use this tactic.
ALTDOS emerged in December 2020, when it claimed its first victim, Country Group Securities - a securities trading firm based in Thailand. Since then, the Singapore advisory states, ALTDOS had claimed victims in Bangladesh, Thailand and Singapore.
Although ALTDOS’ country of origin is unknown, the APT group has been primarily operating in South Asia, targeting businesses for financial gain.
In Singapore, the threat group is reported to have carried out the March cyberattack on retail furniture chain Vhive.
The ALTDOS group typically demands ransoms be paid in bitcoin, the advisory notes. If the victim refuses to comply or respond within the given time frame, ALTDOS may also launch a distributed denial-of-service attack to disrupt operations, authorities say.
How ALTDOS Works
ALTDOS is exploiting vulnerable Apache Web Servers and using Structured Query Language injection against vulnerable targets to obtain initial access, the advisory notes.
Although the advisory states that it's not clear which ransomware variant ALTDOS is using, Thailand’s Computer Emergency Response Team reports that in a December 2020 attack on Thai media conglomerate Country Group Securities, the group used a penetration-testing tool called Cobalt Strike that allowed it to load fileless malware called Beacon.
Beacon is capable of loading itself into the memory of a process without touching the disk, according to Malpedia.
The advisory states that ALTDOS primarily employs default Cobalt Strike beacons that can be identified using an open-source malware detection tool called YARA.
ALTDOS has also been observed to use default Cobalt Strike TLS/SSL certificates, so organizations should check for certificates bearing the name “Major Cobalt Strike” or “Cobaltstrike,” the advisory says.
The Cyber Security Agency of Singapore says companies should monitor processes and look out for unusual activity on their web servers in addition to monitoring scripting interpreters, such as powershell.exe and cmd.exe.
The agency also advises organizations to carry out regular patching and log reviews, deploy web application firewalls and use network segregation to limit communication between internet-facing services and internal servers that host sensitive data.