Business Continuity Management / Disaster Recovery , Fraud Management & Cybercrime , Governance & Risk Management

ALTDOS Group Wages Attacks in Singapore

Agencies Issue Advisory Offering Mitigation Advice
ALTDOS Group Wages Attacks in Singapore

ALTDOS, an advanced persistent threat group, has recently targeted several organizations in Singapore by waging "double extortion" ransomware attacks in an attempt to gain ransom payments, local government authorities say.

See Also: On Demand | Defining a Detection & Response Strategy

In an advisory, the Cyber Security Agency of Singapore, the Personal Data Protection Commission of Singapore and the Singapore Police Force explain that the gang encrypts files and exfiltrates data. If a victim refuses to pay a ransom, information can be leaked online or sold to the highest bidder on the dark web.

Darktrace research reveals that prior to 2019, only one known threat actor, Maze Team APT group, used double extortion ransomware, but now over 16 ransomware groups actively use this tactic.

ALTDOS emerged in December 2020, when it claimed its first victim, Country Group Securities - a securities trading firm based in Thailand. Since then, the Singapore advisory states, ALTDOS had claimed victims in Bangladesh, Thailand and Singapore.

Although ALTDOS’ country of origin is unknown, the APT group has been primarily operating in South Asia, targeting businesses for financial gain.

In Singapore, the threat group is reported to have carried out the March cyberattack on retail furniture chain Vhive.

The ALTDOS group typically demands ransoms be paid in bitcoin, the advisory notes. If the victim refuses to comply or respond within the given time frame, ALTDOS may also launch a distributed denial-of-service attack to disrupt operations, authorities say.

How ALTDOS Works

ALTDOS is exploiting vulnerable Apache Web Servers and using Structured Query Language injection against vulnerable targets to obtain initial access, the advisory notes.

Although the advisory states that it's not clear which ransomware variant ALTDOS is using, Thailand’s Computer Emergency Response Team reports that in a December 2020 attack on Thai media conglomerate Country Group Securities, the group used a penetration-testing tool called Cobalt Strike that allowed it to load fileless malware called Beacon.

Beacon is capable of loading itself into the memory of a process without touching the disk, according to Malpedia.

The advisory states that ALTDOS primarily employs default Cobalt Strike beacons that can be identified using an open-source malware detection tool called YARA.

ALTDOS has also been observed to use default Cobalt Strike TLS/SSL certificates, so organizations should check for certificates bearing the name “Major Cobalt Strike” or “Cobaltstrike,” the advisory says.

Mitigation Recommendations

The Cyber Security Agency of Singapore says companies should monitor processes and look out for unusual activity on their web servers in addition to monitoring scripting interpreters, such as powershell.exe and cmd.exe.

The agency also advises organizations to carry out regular patching and log reviews, deploy web application firewalls and use network segregation to limit communication between internet-facing services and internal servers that host sensitive data.

About the Author

Soumik Ghosh

Soumik Ghosh

Former Assistant Editor, Asia

Prior to his stint at ISMG, Ghosh worked with IDG and wrote for CIO, CSO Online and Computerworld, in addition to anchoring CSO Alert, a security news bulletin. He was also a language and process trainer at [24] Ghosh has a degree in broadcast journalism from the Indian Institute of Journalism & New Media.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.