Malware Activity

Buhti Ransomware Operation Observed Using LockBit Black and Babuk Ransomware to Target Windows and Linux Machines

Researchers observed a new ransomware operation, dubbed "Buhti", utilizing the leaked source code of LockBit and Babuk ransomware in its latest activity. Buhti, first discovered in February 2023, is targeting Windows with "LockBit Black" alongside Linux systems with variants of the "Babuk" ransomware and is using a custom data exfiltration tool for double extortion. The exfiltration tool is a Go-based information stealer that can target specifically chosen file systems and twenty-nine (29) file types. Buhti's operators, tracked as Blacktail, have also been observed exploiting the PaperCut NG and MF remote code execution (RCE) vulnerability, tracked as CVE-2023-27350, in order to "install Cobalt Strike, Meterpreter, Sliver, AnyDesk, and ConnectWise" on targeted machines, leveraging them to "steal data from, and deliver the ransomware payload to, multiple computers on the targeted network." In February 2023, the actors were also identified exploiting CVE-2022-47986, which is a critical RCE flaw that impacts the IBM Aspera Faspex file exchange product. Researchers have witnessed Buhti attacks in various countries, including the United States, the United Kingdom, China, Germany, Czechia, Ethiopia, and more. Researchers also advise administrators and researchers not to underestimate Blacktail. Despite the group using leaked ransomware code in its latest activity, the group's ability to exploit recently discovered vulnerabilities along with its tactics observed in their early attacks thus far renders them a considerable threat. CTIX analysts will continue to monitor Blacktail's activities and provide updates on the Buhti ransomware operation as it evolves. Additional details and indicators of compromise (IOCs) can be viewed in the report linked below.

Threat Actor Activity

Chinese Threat Group Reportedly Targets United States Critical Infrastructure

An emerging Chinese threat organization has reportedly been targeting United States critical infrastructure in their current operations. The group is tracked under the codename Volt Typhoon and has been actively targeting critical infrastructure companies within the government, communications, transportation, maritime, information technology, education, and communications sectors. During these attacks, Volt Typhoon actors would often compromise their victims through vulnerable public-facing FortiGuard devices, giving direct access into their network. Attackers will often attempt to gain privileged access in Active Directory by harvesting credentials stored in the Local Security Authority Subsystem Service (LSASS) process memory space. In addition to privilege escalation, threat actors also deployed a command line utility to install new domain controllers, allowing for multiple authentication attempts on network-connected devices. As the final step, Volt Typhoon actors establish a command-and-control (C2) connection back to their infrastructure to allow for the execution of remote commands and remote access to the victims' network(s). Additional tactics utilized by the group include capitalizing on local resources of compromised infrastructure, or 'living-off-the-land' activities through the system on-screen keyboard and LOLBin binaries to transfer additional payloads from the C2 server to victim networks. CTIX continues to monitor threat actor activity worldwide and will provide additional updates accordingly.


Critical AT&T Zero-day Vulnerability Allowed for Account Takeover by Only Knowing the Victim's Phone Number and Zip Code

AT&T has patched a critical zero-day vulnerability that could have been exploited by attackers to take over any user's account using only the victim's zip code and phone number. The flaw was discovered by a security researcher named Joseph Harris after he was able to abuse and exploit an account merging feature, allowing him to merge his own account with any other user account he wanted. According to Harris' proof-of-concept (PoC) exploit, the attack is made possible by creating a free profile, then using a button called "combine accounts" and selecting "already registered accounts." The attacker is then prompted to enter the account phone number and zip code, disclosing the victim's account and sending a prompt to the victim to enter their password. Harris utilized the backend to intercept the password request to the victim, rerouting it to accounts he already owned. Once an attacker receives the victim's password, they can carry out a host of malicious activity including account takeover, SIM swapping, and adding other devices or phone numbers to a victim's account. Several well-known researchers have publicly stated that this is a very dangerous vulnerability given how easy it is to exploit. Roger Grimes from KnowBe4 also stated that the ease of which anyone could merge accounts is troubling, and indicative of the fact that there are likely multiple related and unrelated zero-day vulnerabilities that are still susceptible to exploitation. Telecommunications companies are very lucrative targets for both financially-motivated and state sponsored threat actors, and the Federal Communications Commission (FCC) has confirmed that there have been multiple breaches impacting some of the largest providers like Verizon, T-Mobile, and AT&T.

Honorable Mention

OpenAI Leaders Push for AI Regulations to Avoid Dangers and Reap Benefits

Concerns about the development of Artificial Intelligence and the negative consequences it poses to society have been increasingly warned about over the past decade. There are predictions of catastrophic consequences but also some more pernicious harms such as society becoming dependent on machines and losing its ability to self-govern, or a world where only a few who hold the power of AI are able to rule the many, creating an eternal caste system. In recognizing such concerns, leaders of ChatGPT developer OpenAI, including their cofounders and chief executive, have come out stating an urgent need for the regulation of "superintelligent" AIs, an equivalent to the International Atomic Energy Agency for AI that will help protect humanity from developing something with the power to destroy itself. Within the next ten (10) years, experts foresee AI exceeding "expert skill level in most domains" with the capability to "carry out as much productive activity as one of today's largest corporations" and that "superintelligence will be more powerful than other technologies humanity has had to contend with in the past." Instead of the recently published letter by AI experts pushing to pause AI development, the leaders at OpenAI are encouraging an international regulator to figure out how to "inspect systems, require audits, test for compliance with safety standards, [and] place restrictions on degrees of deployment and levels of security." These leaders are hoping that we can use such capabilities to foster a prosperous future, believing that humanity cannot afford the dangers of halting developments and missing out on the tremendous upsides AI has to offer, such as what's already being seen in the areas of education, creativity, and personal growth. However, they are also critical to point out that "given the possibility of existential risk, we can't just be reactive" and are thus encouraging companies working on the cutting-edge of AI research to coordinate their efforts to leverage this great technology and incorporate them smoothly into society while prioritizing safety.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.