PSafe US Breach Incident Score: Analysis & Impact (PSA1765476395)

In this Rankiteo incident briefing, we review the PSafe US breach identified under incident ID PSA1765476395.

The analysis begins with a detailed overview of PSafe US's information like the linkedin page: https://www.linkedin.com/company/psafeus, the number of followers: 0, the industry type: IT Services and IT Consulting and the number of employees: 2 employees

After the initial compromise, the video explains how Rankiteo's incident engine converts technical details into a normalized incident score. The incident score before the incident was 786 and after the incident was 696 with a difference of -90 which is could be a good indicator of the severity and impact of the incident.

In the next step of the video, we will analyze in more details the incident and the impact it had on PSafe US and their customers.

A newly reported cybersecurity incident, "DroidLock Android Ransomware Campaign", has drawn attention.

Researchers have analyzed a new threat campaign actively targeting Android users with malware named DroidLock.

The disruption is felt across the environment, affecting Android devices, and exposing SMS, call logs, contacts, audio, device unlock patterns, app credentials, OTPs.

In response, and began remediation that includes Uninstall malicious app, use anti-malware solutions (e.g., Malwarebytes for Android), reset device PIN.

The case underscores how Ongoing (researchers actively analyzing the campaign), teams are taking away lessons such as Android users should avoid sideloading apps, scrutinize permissions (especially Accessibility Services), and use real-time anti-malware solutions. Keeping devices updated is critical to prevent exploitation of known vulnerabilities, and recommending next steps like Only install apps from official app stores (Google Play), Avoid installing apps promoted via SMS, email, or messaging apps and Verify developer names, download counts, and user reviews before installing apps, with advisories going out to stakeholders covering Users are advised to avoid sideloading apps, verify app legitimacy, and use anti-malware tools. If infected, victims should contact security experts and avoid paying the ransom.

Finally, we try to match the incident with the MITRE ATT&CK framework to see if there is any correlation between the incident and the MITRE ATT&CK framework.

The MITRE ATT&CK framework is a knowledge base of techniques and sub-techniques that are used to describe the tactics and procedures of cyber adversaries. It is a powerful tool for understanding the threat landscape and for developing effective defense strategies.

Rankiteo's analysis has identified several MITRE ATT&CK tactics and techniques associated with this incident, each with varying levels of confidence based on available evidence. Under the Initial Access tactic, the analysis identified Phishing (T1566) with high confidence (95%), with evidence including phishing sites that impersonate trusted brands, and tricking victims into downloading a malicious app and Deliver Malicious App (T1475) with high confidence (90%), with evidence including malicious app acts as a dropper, and spreads via phishing sites impersonating telecom providers. Under the Execution tactic, the analysis identified Inter-Process Communication: Component Object Model (T1559.001) with moderate to high confidence (70%), supported by evidence indicating exploiting Device Admin and Accessibility Services permissions. Under the Persistence tactic, the analysis identified Create or Modify System Process: Windows Service (T1543.003) with moderate confidence (50%), supported by evidence indicating abuse of Device Admin permissions and Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder (T1547.001) with moderate confidence (60%), supported by evidence indicating accessibility Services permissions for persistence. Under the Privilege Escalation tactic, the analysis identified Abuse Elevation Control Mechanism: Bypass User Account Control (T1548.002) with moderate to high confidence (80%), supported by evidence indicating exploiting Device Admin and Accessibility Services permissions and Abuse Elevation Control Mechanism: Sudo and Sudo Caching (T1548.003) with moderate to high confidence (70%), supported by evidence indicating autonomously approves additional permissions (SMS, call logs, contacts). Under the Defense Evasion tactic, the analysis identified Impair Defenses: Disable or Modify Tools (T1562.001) with moderate to high confidence (80%), with evidence including bypass security measures, and uninstall apps and Debugger Evasion (T1622) with moderate confidence (60%), supported by evidence indicating abuse of Accessibility Services to overlay fake screens. Under the Credential Access tactic, the analysis identified Modify Authentication Process: Multi-Factor Authentication Interception (T1556.003) with high confidence (90%), supported by evidence indicating intercept one-time passwords (OTPs), Credentials from Password Stores: Credentials from Web Browsers (T1555.003) with moderate to high confidence (80%), supported by evidence indicating capturing app credentials via Accessibility Services, and Multi-Factor Authentication Request Generation (T1621) with moderate to high confidence (70%), supported by evidence indicating intercept OTPs for unauthorized access. Under the Discovery tactic, the analysis identified System Information Discovery (T1426) with moderate to high confidence (80%), supported by evidence indicating captures device unlock patterns, SMS, call logs, contacts and Container and Resource Discovery (T1613) with moderate to high confidence (70%), supported by evidence indicating access to contacts, audio, and app data. Under the Collection tactic, the analysis identified Data from Local System (T1533) with high confidence (90%), supported by evidence indicating sMS, call logs, contacts, audio, device unlock patterns, Screen Capture (T1113) with moderate to high confidence (80%), supported by evidence indicating activate the camera for surveillance, and Protected User Data (T1636) with high confidence (90%), supported by evidence indicating oTPs, app credentials, contacts, SMS intercepted. Under the Command and Control tactic, the analysis identified Remote Access Software (T1219) with high confidence (90%), supported by evidence indicating virtual Network Computing (VNC) for real-time remote control. Under the Impact tactic, the analysis identified Data Encrypted for Impact (T1486) with moderate confidence (50%), supported by evidence indicating threatens permanent data deletion (though no encryption), Service Stop (T1489) with moderate to high confidence (80%), supported by evidence indicating change device PINs to lock users out, Account Access Removal (T1531) with high confidence (90%), supported by evidence indicating blocks access to device unless ransom is paid, and Defacement: Internal Defacement (T1491.001) with moderate to high confidence (70%), supported by evidence indicating overlay fake screens (e.g., fraudulent Android update prompt). Under the Exfiltration tactic, the analysis identified Exfiltration Over C2 Channel (T1041) with moderate to high confidence (70%), supported by evidence indicating possible data exfiltration via remote control and VNC. These correlations help security teams understand the attack chain and develop appropriate defensive measures based on the observed tactics and techniques.