Ransomware/Malware Activity
Bogus F5 BIG-IP Update Embedded with Malware
Israel has been victimized in a phishing campaign that has been delivering Windows and Linux data wipers to devices. The campaign is believed to be perpetrated by pro-Hamas hacktivists and other Iranian-backed actors. The Israel Nation Cyber Directorate, a government organization dedicated to protecting Israeli cyber assets, released a report detailing how a phishing campaign impersonated a cloud security company. The email message describes a supposed zero-day vulnerability for F5 BIG-IP devices. It then urges the victim to download and install the update, which comes in the form of "F5Updater.exe" for Windows and "update.sh" for Linux. The Windows version of the executable creates a fake F5 security update with the F5 logo on the screen to further impersonate F5 and convince the victim that the software is legitimate. This pop up contains a clickable button that when clicked sends a message with device information to a Telegram channel after which it will attempt to wipe all data from the device. The Linux version works slightly differently, first trying to remove all users from the device using the Linux "wipe" command to remove all of the operating system files and the different partitions that may exist. After these commands are run, the device will restart which implements all of the changes made. BleepingComputer reports that the pro-Palestinian hacking group Handala has admitted responsibility for the attack campaign, but this remains unconfirmed as of December 21, 2023. CTIX analysts will continue to monitor newly discovered hacking campaigns that originate from the Middle East.
Threat Actor Activity
Indian Government Targeted in Operation RusticWeb Phishing Campaign
The Indian government and defense sector have been targeted in Operation RusticWeb, a phishing campaign using Rust-based malware for intelligence gathering. First detected in October 2023, this campaign utilizes novel payloads and encrypted PowerShell commands to steal documents, with connections to the Pakistan-linked groups Transparent Tribe and SideCopy. SideCopy is involved in multiple campaigns delivering various known trojans like AllaKore RAT, Ares RAT, and DRat. The attacks, often initiated via phishing emails with malicious PDFs, leverage social-engineering to install malware that collects system information and files, sending them to an actor-owned command-and-control (C2) server. A different chain uses a PowerShell script and a Rust executable named "Cisco AnyConnect Web Helper," uploading data to a public file-sharing engine. This activity is linked to the nation-state actor DoNot Team, known for targeting individuals in Kashmir and India, using Android malware to infiltrate devices. The DoNot group continues to refine their techniques, posing a significant threat, especially in the Kashmir region. CTIX analysts will continue to report on the recent activity of state-sponsored and financially-motivated threat actors.
Vulnerabilities
Google Patches Actively Exploited Zero-day Vulnerability in Chrome
Google has released an emergency update for the Chrome browser to patch an actively-exploited high-severity zero-day vulnerability. The flaw, tracked as CVE-2023-7024, is a heap-based buffer overflow vulnerability in WebRTC allowing for potential exploitation targeting the Chrome desktop versions of Windows, Linux, and macOS systems. WebRTC is an open-source framework using real-time communication (RTC) for the web via JavaScript APIs. Successful exploitation could allow attackers to cause program crashes and execute arbitrary code with the privileges of the user. This vulnerability was identified and reported by Google's own Threat Analysis Group (TAG). Currently, the technical information regarding vulnerability and exploit are being withheld to allow as many Chrome and Chromium users as possible to patch their vulnerable browsers. Google's security advisory states that they are aware of an exploit for CVE-2023-7024 existing in the wild. CTIX analysts recommend that all users ensure their browsers are running the latest version to prevent exploitation.
- Bleeping Computer: CVE-2023-7024 Article
- The Hacker News: CVE-2023-7024 Article
- The Record: CVE-2023-7024 Article
- Google" CVE-2023-7024 Advisory
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
