ARTICLE
29 March 2024

Ankura CTIX FLASH Update - March 22, 2024

AC
Ankura Consulting Group LLC

Contributor

Ankura Consulting Group, LLC is an independent global expert services and advisory firm that delivers end-to-end solutions to help clients at critical inflection points related to conflict, crisis, performance, risk, strategy, and transformation. Ankura consists of more than 1,800 professionals and has served 3,000+ clients across 55 countries. Collaborative lateral thinking, hard-earned experience, and multidisciplinary capabilities drive results and Ankura is unrivalled in its ability to assist clients to Protect, Create, and Recover Value. For more information, please visit, ankura.com.
Cybersecurity researchers at SentinelLabs have analyzed a novel data-wiping malware uploaded to the internet from a location in the Ukraine.
Ukraine Technology

Ransomware/Malware Activity

"AcidPour" Data-Wiping Malware Developed to Target Linux x86 Devices

Cybersecurity researchers at SentinelLabs have analyzed a novel data-wiping malware uploaded to the internet from a location in the Ukraine. Dubbed "AcidPour", the malware shares similarities with "AcidRain", the data-wiping malware used in 2022 to target satellite broadband services in Ukraine. Both AcidPour and AcidRain use the same IOCTL (input/output control) wiping mechanism, the same logic for recursive directory wiping, and the same reboot mechanism. However, "AcidPour" appears to be designed to target Linux x86 systems specifically as opposed to devices compiled for a MIPS architecture. The AcidPour code references device paths "/dev/ubiXX" and "/dev/dm-XX". The "/dev/ubiXX" path is common in embedded systems dependent on flash memory such as IoT (Internet-of-Things), networking, and ICS (Industrial Control System) devices. The "/dev/dm-XX" path is associated with mapped devices under Logical Volume Management (LVM), putting devices like Storage Area Network (SAN) and Network Attached Storage (NAS) systems within AcidPour's target scope. These incorporations to the malware suggest that AcidPour targets a broader range of systems than its AcidRain predecessor. A sample of the AcidPour binary analyzed by researchers has been made available on VirusTotal. As of the time of this writing, it is unclear whether AcidPour has been deployed against any known victims. CTIX analysts will continue to report on novel strains of malware and associated campaigns.

Threat Actor Activity

Iranian-Linked Hackers Compromise Israeli Nuclear Facility

A hacking group with ties to Iran, who goes by Anonymous, has claimed responsibility for infiltrating the computer network of the Shimon Peres Negev Nuclear Research Center, a key Israeli nuclear facility that houses a nuclear reactor. Amidst their protest against the war in Gaza, the hackers claimed to have stolen and released thousands of documents online, including PDFs, emails, and PowerPoint slides from the nuclear research center. The group posted on social media claiming that they "carried out the operation in such a way that no civilians were harmed" but also that the operation was very dangerous, and while they didn't intend to set off a nuclear explosion, they encouraged that the nearby city of Dimona and the town of Yeruham should consider evacuating. The latter message was likely a scare-tactic, and while they were able to compromise the IT network, there has been no evidence to suggest the hackers have managed to compromise the facility's more secure operational technology (OT) networks. The incident has not yet elicited a public response from the Israeli embassy in London. Researchers have identified similarities between the attacks carried out by this Anonymous group and those associated with Iranian cyber groups, suggesting a possible connection or even shared identity among these threat actors. The cybersecurity landscape in Israel has been under strain since the outbreak of the war in Gaza, with a surge in cyberattacks from various threat actors. These attacks have included data breaches, system intrusions, disinformation campaigns, and targeting of industrial control systems, reflecting cybersecurity threats as an active and likely future component to modern warfare. Analysis of the recently disclosed documents indicates that while they are not highly sensitive, they could potentially facilitate future cyber threats like phishing. The company emphasizes that the release of these documents should not be seen as an indication of the hackers' ability to control the nuclear facility's critical operational systems.

Vulnerabilities

Ivanti Patches Vulnerabilities Leading to RCE

Ivanti has issued urgent patches for two (2) critical vulnerabilities in its Standalone Sentry and Neurons for IT Service Management (ITSM) solution. The Standalone Sentry vulnerability, tracked as CVE-2023-41724, allows unauthenticated attackers to conduct remote code execution (RCE) on the appliance's operating system from within the same network, affecting all supported versions. This flaw, reported by NATO Cyber Security Centre researchers, is significant due to Standalone Sentry's role as a Kerberos Key Distribution Center Proxy (KKDCP) or a gatekeeper for ActiveSync-enabled servers. The second vulnerability, tracked as CVE-2023-46808, impacts Neurons for ITSM, enabling attackers with low-level access to execute commands in the context of the web application's user, with cloud landscapes already secured but leaving on-premises deployments exposed. Ivanti has not found evidence indicating that these vulnerabilities are being actively exploited in the wild but urges immediate action to prevent potential exploitation. The advisories are set against a number of Ivanti vulnerabilities that have been previously exploited by nation-state actors and threat groups, leading to widespread attacks and emergency directives from cybersecurity agencies to secure Ivanti Connect Secure and Policy Secure systems against zero-day flaws. These incidents highlight the critical importance of maintaining security hygiene and the potential consequences of unaddressed vulnerabilities in widely used enterprise software. CTIX analysts recommend that all administrators utilizing the affected Ivanti solutions patch their software as soon as possible to prevent potential exploitation.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More