ARTICLE
6 November 2024

Ankura CTIX FLASH Update - November 1, 2024

AC
Ankura Consulting Group LLC

Contributor

Ankura Consulting Group, LLC is an independent global expert services and advisory firm that delivers end-to-end solutions to help clients at critical inflection points related to conflict, crisis, performance, risk, strategy, and transformation. Ankura consists of more than 1,800 professionals and has served 3,000+ clients across 55 countries. Collaborative lateral thinking, hard-earned experience, and multidisciplinary capabilities drive results and Ankura is unrivalled in its ability to assist clients to Protect, Create, and Recover Value. For more information, please visit, ankura.com.
Cybersecurity researchers are tracking a new variant of an Android malware dubbed "FakeCall". The malware is designed to intercept phone calls made to the victim's bank and route the call to an attacker-owned phone number.
United States Technology

Ransomware/Malware Activity

FakeCall Android Malware Routes Bank Calls to Attackers

Cybersecurity researchers are tracking a new variant of an Android malware dubbed "FakeCall". The malware is designed to intercept phone calls made to the victim's bank and route the call to an attacker-owned phone number. Built for Android and deployed via an APK (Android Package Kit), the malware reroutes calls by setting itself up as the default call handler during installation. FakeCall displays a convincing UI that mimics Android's call interface, displaying the bank's legitimate phone number while the victim is actually on a call with the attacker. FakeCall is delivered via social engineering attacks, and the attacker's goal is to obtain sensitive banking information from the victim. The FakeCall trojan was first seen in 2022 and is now impersonating over twenty (20) financial organizations. In addition to hijacking calls, the latest versions of FakeCall include a new phone listener service which allows the attacker to issue commands to the device to get the device's location, delete applications, record audio or video, and edit contacts. New commands also allow the attacker to live stream the device's screen content, take screenshots, unlock the device, and delete and upload images. CTIX analysts recommend that individuals refrain from installing applications via APKs and opt for the more secure Google Play store. CTIX analysts will continue to report on new and emerging forms of malware and associated campaigns.

Threat Actor Activity

North Korean-linked Hackers Conduct Joint Cyber Attack with Play Ransomware Group

A recent investigation by cybersecurity specialists revealed a collaboration between North Korean state-sponsored hackers, known as Andariel or Jumpy Pisces, and the Play ransomware group. This marks the first documented instance of such collaboration between a North Korean state-sponsored group and an underground ransomware operation, highlighting North Korea's increasing involvement in financially motivated cybercrime. Andariel, linked to North Korea's Reconnaissance General Bureau (RGB), has historically engaged in cyber espionage and ransomware operations dating back to 2009, previously deploying strains like SHATTEREDGLASS and Maui. The investigation into the specific ransomware attack highlighting this collaborative effort discovered Andariel's initial access to a network in May 2024, using a compromised user account. Over several months, they conducted lateral movement, persistence activities, and credential harvesting, using tools like Sliver C2 framework and custom malware DTrack. This groundwork by Andariel later led to the deployment of Play ransomware in September 2024. The attack involved credential harvesting, privilege escalation, disabling endpoint detection systems, and typical pre-ransomware activities. Researchers suggest that the role of North Korea's Andariel might be as an initial access broker (IAB), facilitating and selling network access for the finically motivated Play ransomware operators. However, it's uncertain whether they act as Play affiliates or merely sell access to compromised networks. The collaboration signifies a shift in North Korean tactics, aligning with broader trends where nation-states increasingly engage or assist in ransomware for financial gain. This trend of state-sponsored involvement in ransomware extends beyond North Korea. Iranian and Russian actors have similarly leveraged ransomware for financial benefits, often acting behind the scenes to evade international sanctions. Such tactics complicate attribution and enforcement efforts, as these actors frequently rebrand or work with different ransomware groups to bypass sanctions and legal repercussions. The implications of these developments are significant, indicating a potential increase in ransomware attacks with state-sponsored backing, increasing in finical motivation rather than espionage or disruption-focused campaigns.

Vulnerabilities

Bug Bounty Program "huntr" Uncovers Several Critical Vulnerabilities in Open-Source AI and ML Models

Over thirty-four (34) security vulnerabilities, including multiple critical vulnerabilities, have been identified in open-source AI and ML tools through Protect AI's "huntr" bug bounty program, affecting widely-used toolkits like Lunary, Chuanhu Chat, and LocalAI. Two (2) of the most severe vulnerabilities in Lunary (CVE-2024-7474 and CVE-2024-7475), each with a CVSS score of 9.1/10, involve insecure direct object reference and improper access control, allowing attackers to view, delete user records, or manipulate authentication processes by altering the SAML configuration. In Chuanhu Chat, a GUI for ChatGPT, a path traversal flaw (CVE-2024-5982) allows remote code execution (RCE), arbitrary directory creation, and data leakage from CSV files. LocalAI, a platform for locally hosted AI models, is impacted by a high-severity RCE bug (CVE-2024-6983), enabling malicious configuration uploads, and a timing attack vulnerability (CVE-2024-7010), allowing attackers to guess API keys by measuring server response times. Protect AI also highlighted the vulnerabilities in these tools as significant risks in the AI model supply chain, emphasizing that open-source tools like these, downloaded thousands of times monthly, are integral to enterprise AI systems. Protect AI's Vulnhuntr tool aids in uncovering such vulnerabilities, while updates are recommended to mitigate these security risks. These flaws have been patched, and CTIX analysts recommend any users leveraging the affected open-source AI tools update to the most secure versions to prevent exploitation.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More