ARTICLE
1 October 2024

Ankura CTIX FLASH Update - September 27, 2024

AC
Ankura Consulting Group LLC

Contributor

Ankura Consulting Group, LLC is an independent global expert services and advisory firm that delivers end-to-end solutions to help clients at critical inflection points related to conflict, crisis, performance, risk, strategy, and transformation. Ankura consists of more than 1,800 professionals and has served 3,000+ clients across 55 countries. Collaborative lateral thinking, hard-earned experience, and multidisciplinary capabilities drive results and Ankura is unrivalled in its ability to assist clients to Protect, Create, and Recover Value. For more information, please visit, ankura.com.
Cybersecurity researchers have recently identified an email phishing campaign that deploys a malware dropper likely produced by a generative AI model.
United States Technology

Ransomware/Malware Activity

AI-Generated Malware Deployed in Phishing Attacks

Cybersecurity researchers have recently identified an email phishing campaign that deploys a malware dropper likely produced by a generative AI model. Cybercriminals have been known to use "Dark" AI to enhance their social engineering attacks, better articulating their pretext and eliminating tell-tale grammatical and spelling errors. CTIX analysts reported on the emergence of "Dark" AI this summer. Now it is evident that unsophisticated cybercriminals are leveraging generative AI tools trained for malicious intent to build malware, further lowering the barrier of entry into the cybercrime industry. Researchers at HP Wolf Security recently released their analysis of a phishing email with an invoice lure and encrypted HTML attachment. Once the HTML attachment is decrypted, a website opens and a VBScript runs that drops the AsyncRAT infostealer onto the victim machine. The VBScript writes various variables to the Windows Registry to establish persistence. A JavaScript file is also dropped into the user directory which is run by a scheduled task. The JavaScript executes a PowerShell script which makes use of the Registry variables and starts the malware payload after injecting it into a legitimate process. It is the VBScript and JavaScript files that researchers believe were likely created with the help of generative AI. For one, the scripts are very neatly structured with detailed and commented code. In addition, the scripts are written in French (which is not commonly the language used by malware architects). Sophisticated attackers do not comment their code, in fact they attempt to make their malware as difficult as possible to analyze through obfuscation and confusion. The infostealer payload, AsyncRAT, is a free and readily accessible malware that could be picked up and used by any novice cybercriminal. These circumstances reflect the high likelihood that the malware campaign was created by an unseasoned cybercriminal with the help of generative AI. CTIX analysts are keeping an eye out for any additional developments that would suggest generative AI is being used to generate malware payloads beyond just droppers. CTIX analysts will continue to report on new and emerging forms of malware and associated campaigns.

Threat Actor Activity

Chinese Hackers, Salt Typhoon, Infiltrating Deep Inside US Internet Service Providers

A newly discovered advanced persistent threat (APT) group, dubbed Salt Typhoon, has been implicated in a series of cyber espionage operations targeting U.S. internet service providers (ISPs). This group, believed to be backed by Beijing, has reportedly compromised several ISPs to establish a persistent presence within their networks. The ultimate aim is to gather sensitive information and potentially prepare for future disruptive cyberattacks. Salt Typhoon, also known as FamousSparrow and GhostEmperor, has a history of targeting high-profile entities in Southeast Asia and other regions. The attacks are part of a broader pattern of Chinese state-sponsored efforts to infiltrate critical infrastructure. Investigators are examining whether the intruders accessed Cisco Systems routers, which are crucial for internet traffic routing. This campaign follows a series of similar intrusions by other Chinese APT groups, such as Flax Typhoon and Volt Typhoon, known for targeting U.S. critical infrastructure, government, and military networks. These groups have been linked to extensive cyber espionage and data theft operations. Salt Typhoon's recent activities highlight China's strategic priorities, including reconnaissance and pre-positioning for potential military conflicts. By compromising ISPs, the group could monitor high-value targets, including federal agencies, military contractors, and Fortune 100 companies. This capability aligns with China's broader goals of controlling regional assets and preparing for possible conflicts, such as over Taiwan. The U.S. government and cybersecurity agencies are actively responding to these threats. Recent actions include the disruption of a 260,000-device botnet controlled by Flax Typhoon and heightened warnings about ongoing Chinese cyber campaigns. CTIX analysts advise organizations to review the latest advisories and implement stringent security practices to protect against these sophisticated cyber threats.

Vulnerabilities

CISA adds Critical Ivanti Virtual Traffic Manager Flaw to its Known Exploited Vulnerabilities Catalog

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has flagged a critical vulnerability in Ivanti's Virtual Traffic Manager (vTM) as under active exploitation and added it to its Known Exploited Vulnerabilities (KEV) catalog. This flaw, tracked as CVE-2024-7593, has a CVSS score of 9.8/10, and is due to an incorrect implementation of the authentication algorithm, allowing remote attackers to bypass authentication on Internet-exposed vTM admin panels and create rogue administrator accounts. Although Ivanti released patches in March and May 2024 to address this vulnerability, the company has confirmed that proof-of-concept (PoC) exploit code is publicly available. While Ivanti is unaware of active exploitation at the time of disclosure, it urges users to update their systems and restrict access to the management interface by binding it to private networks or trusted IPs. CISA has mandated that Federal Civilian Executive Branch (FCEB) agencies patch the vulnerability by no later than October 15, 2024, in accordance with Binding Operational Directive (BOD) 22-01, while private organizations worldwide are strongly advised to prioritize securing their systems against this flaw. Ivanti has been working on enhancing its internal security measures and disclosure processes following repeated attacks on its product lines in recent months. CTIX analysts urge any administrators impacted by this flaw to ensure that their systems are as hardened as possible to prevent exploitation.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More