ARTICLE
11 September 2024

Ankura CTIX FLASH Update - September 10, 2024

AC
Ankura Consulting Group LLC

Contributor

Ankura Consulting Group, LLC is an independent global expert services and advisory firm that delivers end-to-end solutions to help clients at critical inflection points related to conflict, crisis, performance, risk, strategy, and transformation. Ankura consists of more than 1,800 professionals and has served 3,000+ clients across 55 countries. Collaborative lateral thinking, hard-earned experience, and multidisciplinary capabilities drive results and Ankura is unrivalled in its ability to assist clients to Protect, Create, and Recover Value. For more information, please visit, ankura.com.
Researchers at Group-IB have recently released a new report on ongoing and new threats posed by Lazarus Group's financially-motivated campaign against job seekers. CTIX analysts discussed the emergence of this campaign...
United States Technology

Ransomware/Malware Activity

Lazarus Group Continues Campaign Against Developers and IT Professionals

Researchers at Group-IB have recently released a new report on ongoing and new threats posed by Lazarus Group's financially-motivated campaign against job seekers. CTIX analysts discussed the emergence of this campaign in our April 30, 2024 flash. Since then, Lazarus has expanded its capabilities and has introduced new malware targeted at MacOS to steal information and cryptocurrency from job seekers in the IT and Software Development fields. The campaign is rooted in a fictitious job posting and interview process that tricks seekers into downloading a "Node.js" project containing malware. Researchers have observed updated versions of the major forms of malware used in this campaign dubbed BeaverTail and InvisibleFerret. BeaverTail is a JavaScript or Python-based InfoStealer with the ability to steal credentials stored in browsers and vaults as well as data from browser extensions and cryptocurrency wallets. InvisibleFerret is Python-based malware that acts as a backdoor, keylogger, and infostealer. Both forms of malware are under active development. The recent Python versions of BeaverTail are delivered via a simple JavaScript downloader and fetches a bundle of scripts called CivetQ to modularize the malware's capabilities. Researchers have also noted that Lazarus has included additional job search platforms in their campaign in an apparent attempt to target professionals skilled in Blockchain. This tactic could have been introduced to increase the attackers' likelihood of infecting a victim with cryptocurrency on their machine. Platforms added to their campaign beyond LinkedIn include WWR, Moonlight, and Upwork. They have also started using fraudulent video conferencing applications to spread the initial BeaverTail loader as an alternative initial infection vector to the fake "Node.js" project. Researchers discovered a cloned website of a legitimate free conferencing software application which hosts the fake video conference application "FCCCall". Installers for both Windows and MacOS were discovered by researchers. CTIX analysts urge individuals to remain vigilant online and to vet potential employers prior to engaging in the job interview process. CTIX analysts will continue to report on new and emerging forms of malware and associated campaigns.

Threat Actor Activity

New Sophisticated Espionage Group Launches Campaign Targeting Taiwanese Drone Makers

A newly identified threat actor, dubbed TIDRONE, is targeting drone manufacturers in Taiwan, with a broader focus on military and satellite-related industrial supply chains. This espionage-driven campaign, which began in early 2024, is believed to have connections to other Chinese-speaking groups. TIDRONE employs sophisticated attack methods, including the deployment of custom malware such as CXCLNT and CLNTEND, often using enterprise resource planning (ERP) software or remote desktop tools like UltraVNC to infiltrate targets. The exact vector for initial access remains unclear, but commonalities among victims suggest a potential supply chain attack. Once inside a network, TIDRONE's attack chain involves three (3) stages designed to escalate privileges, dump credentials, and evade defenses by disabling antivirus software. The malware is typically introduced via sideloading a rogue DLL through the Microsoft Word application, enabling the attackers to collect a wide range of sensitive information. CXCLNT is equipped with basic file upload and download capabilities, trace-clearing functions, and tools for gathering victim information such as file listings and computer names. It can also download and execute additional portable executable (PE) and DLL files. CLNTEND, first detected in April 2024, is a more advanced remote access tool (RAT) supporting multiple network protocols, including TCP, HTTP, HTTPS, TLS, and SMB (port 445). Analyses highlight that TIDRONE's operations align with other Chinese espionage activities, supported by the consistency in file compilation times and operational patterns. The threat actors have continually updated their toolsets and optimized their attack chains, employing anti-analysis techniques in their loaders to alter execution flows and evade detection. The campaign's reach extends beyond Taiwan, with artifacts from VirusTotal indicating varied targeted countries, prompting a warning from CTIX analysts for global vigilance against this threat.

Vulnerabilities

Progress Software Patches Maximum Severity Vulnerability in LoadMaster and MT Hypervisor

Progress Software has released an emergency fix for a highly critical vulnerability, affecting its LoadMaster and LoadMaster Multi-Tenant (MT) Hypervisor products. This vulnerability, tracked as CVE-2024-7591, has a maximum CVSS score of 10/10 since it enables unauthenticated attackers to conduct remote code execution (RCE) by exploiting an improper input validation flaw. The attack can be facilitated through a maliciously crafted HTTP request targeting the management interface of affected devices. Once successful, the attacker can gain control over vulnerable systems without needing authentication. The flaw affects all versions of LoadMaster up to 7.2.60.0 and MT Hypervisor up to 7.1.35.11, including Long-Term Support (LTS) and Long-Term Support with Feature (LTSF) branches. At this time, Progress has confirmed that no reports of active exploitation have been received. Security researcher Florian Grunow is credited with discovering the issue. To mitigate the risk, Progress released a patch that can be installed on any affected version. The fix works by sanitizing user inputs to prevent arbitrary command execution. However, the patch does not apply to the free version of LoadMaster, leaving it exposed to potential exploitation. Progress strongly advises all users to apply the patch immediately by navigating to the system's configuration interface and following their recommended security hardening guidelines. Failing to address this flaw could leave critical infrastructure and network environments vulnerable to remote command injection attacks, posing a significant risk to organizations relying on these solutions for load balancing, traffic management, and application delivery. CTIX analysts urge all administrators of the affected devices to install the patch immediately to prevent exploitation.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More