VTA-004473 – R00TK1T Hacking Group Announced Malaysia To Be Their Next Victim

The “R00TK1T Hacking Group” has been identified by researchers as the threat actor that recently declared via their Telegram channel that they want to launch a campaign that targets Malaysian infrastructure on January 26, 2024. It is thought that the threat actor was a member of a retribution team against the cyber campaign resulting from the Middle East crisis, even if the precise date and duration of the attacks remain unknown. 

Researchers found that they can confirmed that the threat announcement was also posted on a dark web platform. By taking advantage of known vulnerabilities and enlisting the aid of insider threats and disgruntled employees, the threat actor has previously targeted a variety of sectors in multiple countries, including education, transportation, healthcare, telecommunications, and ICT services, according to historical data.

Given that this campaign may last for several weeks, cybersecurity experts strongly recommends that all Malaysian organizations take the necessary precautions to guard against this attack. If this isn’t done, there may be interruptions to operations and security issues with the organization’s data, systems, and infrastructure.

Severity:
High

Attack Surfaces:
Email, Endpoint, Mobile Application, Web Application, Web Browser

Tactics:
Command and Control, Impact, Initial Access, Privilege Escalation

Technique:
T1566 – Phishing,
T1078 – Valid Accounts,
T1001 – Data Obfuscation,
T1491 – Defacement,
T1485 – Data Destruction,
T1565 – Data Manipulation

References:
1. https://www.nacsa.gov.my/advisory11.php
2. https://izoologic.com/region/central-asia/r00tk1t-hacking-group-threatens-malaysia-in-its-latest-post/
3. https://www.nc4.gov.my/alert/65b5cbec90087b4855570ee1

SuperPRO’s Threat Countermeasures Procedures: 
1. Closely monitor for unusual activity within your IT environment, including suspicious scans or attempts to access your systems.
2. Keep all critical technology updated with the latest security patches and fixes. If an update can’t be applied, ensure additional controls are in place to protect the asset.
3. Be cautious of unsolicited emails and links, regardless of attachments.
4. Maintain up-to-date and actively running antivirus and anti-malware software.
5. Regularly review firewall and security device logs for suspicious activity.
6. Periodically review firewall and security appliance configurations for vulnerabilities.
7. Block or restrict access to unnecessary ports like 3389 (RDP), 5900 (VNC), and 22 (SSH), except for authorized public-facing services.
8. Securely store system and server logs in multiple locations.
9. Use strong and unique passwords for all systems and change them regularly.
10. Enforce the principle of least privilege for user access, avoiding admin accounts for remote access.
11. Secure administrator login pages from unauthorized access.
12. Regularly back up essential data to an offline, offsite location daily to minimize data loss impact and expedite recovery.
13. Isolate any suspected compromised systems, reset user credentials, and follow incident response procedures immediately.
14. Strengthen the security of internet-facing applications against attack.
15. Report any unusual network or system activity to the authorities.

Contributed by: Zahirul