ARTICLE
2 October 2024

Ankura CTIX FLASH Update - October 1, 2024

AC
Ankura Consulting Group LLC

Contributor

Ankura Consulting Group, LLC is an independent global expert services and advisory firm that delivers end-to-end solutions to help clients at critical inflection points related to conflict, crisis, performance, risk, strategy, and transformation. Ankura consists of more than 1,800 professionals and has served 3,000+ clients across 55 countries. Collaborative lateral thinking, hard-earned experience, and multidisciplinary capabilities drive results and Ankura is unrivalled in its ability to assist clients to Protect, Create, and Recover Value. For more information, please visit, ankura.com.
Researchers at Microsoft have recently warned that threat actor Storm-0501 is now targeting and deploying ransomware in hybrid cloud environments in addition...
United States Technology

Ransomware/Malware Activity

Storm-0501 Releases Embargo Ransomware in Cloud Environments

Researchers at Microsoft have recently warned that threat actor Storm-0501 is now targeting and deploying ransomware in hybrid cloud environments in addition to on-premise environments. Storm-0501 is a ransomware threat actor that has been active since 2021 and has been known to utilize a variety of ransomware strains in their attacks including Hive, BlackCat, LockBit, and Embargo. Embargo ransomware is a Rust-based variety and is provided to threat groups under a ransomware-as-a-service (RaaS) model. Storm-0501 has targeted healthcare, government, transportation, law enforcement, and manufacturing industries in the United States. In recent attack campaigns, the group has expanded their infiltration operations to compromise hybrid cloud environments, exfiltrating data and encrypting systems to demand ransom from victims. Storm-0501 initially gains access to victim organizations either through compromised credentials or exploitation of known vulnerabilities. Once a privileged account in Microsoft's Entra ID (formerly Azure AD) is compromised, Storm-0501 establishes persistence by creating a new federated domain within the Microsoft Entra tenant. This is also a well-known tactic of the notorious Scatter Spider or "Octo Tempest" threat actor group. After victim data is exfiltrated, the Embargo ransomware payload is deployed using scheduled tasks or Group Policy Objects (GPOs) to encrypt files across devices. The compromise of federated identity access manager to gain access and establish persistence in cloud environments is becoming a more popular tactic amongst threat actors. In Entra ID environments, it is particularly important that organizations monitor authentication and activity of Microsoft Entra Connect Sync accounts, which are used to synchronize data between on-premise and cloud-based Active Directory. CTIX analysts will continue to report on new and emerging forms of malware and associated campaigns.

Threat Actor Activity

Transportation and Logistics Sectors Targeted by Info-Stealing Malware

A new phishing campaign targeting transportation and logistics companies in North America has been identified by cybersecurity researchers. This campaign, active since May 2024, uses compromised legitimate email accounts from the transportation sector to distribute a variety of malware strains, including Lumma Stealer, StealC, DanaBot, and Arechclient2. The threat actors inject malicious content into existing email conversations, making their lures more convincing and difficult to detect. Researchers noted that at least fifteen (15) email accounts have been compromised, although the exact method of infiltration remains unclear. In August 2024, the attackers shifted tactics, employing new infrastructure, delivery methods, and additional payloads. One of the techniques involves sending messages with internet shortcut (.URL) attachments or Google Drive URLs that lead to .URL files. When launched, these files use Server Message Block (SMB) to fetch the next-stage malware payload from a remote location. Additionally, some variants of the campaign have used a technique called ClickFix, which tricks victims into downloading the DanaBot malware by urging them to copy and paste a Base64-encoded PowerShell script into their terminal. The attackers have impersonated software solutions like Samsara, AMB Logistic, and Astra TMS, which are specific to transport and fleet management, indicating that they are likely conducting thorough research on their targets before launching their attacks. The emergence of this campaign comes amidst a rise in various stealer malware strains and follows the discovery of a new version of the RomCom remote access trojan (RAT), called SnipBot. Distributed via phishing emails, SnipBot allows attackers to execute commands, download additional modules, and manipulate files on the victim's system. Overall, this campaign highlights the evolving tactics of financially motivated threat actors who tailor their lures to specific industries, leveraging compromised email accounts to increase the authenticity of their attacks. CTIX analysts recommend heightened cybersecurity vigilance from organizations in the transportation and logistics sectors.

Vulnerabilities

NVIDIA Container Toolkit Vulnerability Allows for a Full System Takeover

A critical vulnerability in the NVIDIA Container Toolkit allows attackers to escape containers and gain full control over the host system, posing a significant risk to AI applications in cloud and on-premise environments that rely on GPU resources. The flaw, tracked as CVE-2024-0132 (CVSS score 9/10), is a Time-of-Check Time-of-Use (TOCTOU) vulnerability affecting Toolkit versions up to 1.16.1 and GPU Operator up to 24.6.1, and occurs due to inadequate isolation between the containerized GPU and the host system. Attackers can exploit this vulnerability via maliciously crafted container images, granting them access to the host's file system and enabling command execution through writable Unix sockets like "docker.sock" and "containerd.sock", leading to code execution, data exfiltration, and potential full system takeover. According to Wiz Research, 33-35% of cloud environments using the vulnerable Toolkit are at risk, highlighting the severity of the issue. The vulnerability impacts multi-tenant environments, potentially exposing sensitive data and secrets from other applications sharing the same node or cluster. NVIDIA released patches in version 1.16.2 of the Container Toolkit and GPU Operator 24.6.2 on September 26, 2024, following Wiz's report on September 1, 2024. CTIX analysts strongly advise users to upgrade, as technical details remain withheld to prevent exploitation while organizations implement mitigations.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More