Ankura CTIX FLASH Update - April 26, 2024

AC
Ankura Consulting Group LLC

Contributor

Ankura Consulting Group, LLC is an independent global expert services and advisory firm that delivers end-to-end solutions to help clients at critical inflection points related to conflict, crisis, performance, risk, strategy, and transformation. Ankura consists of more than 1,800 professionals and has served 3,000+ clients across 55 countries. Collaborative lateral thinking, hard-earned experience, and multidisciplinary capabilities drive results and Ankura is unrivalled in its ability to assist clients to Protect, Create, and Recover Value. For more information, please visit, ankura.com.
Cybersecurity researchers have attributed an ongoing infostealer malware campaign to a threat actor termed "CoralRaider". CoralRaider is a financially motivated threat actor...
United States Technology

Ransomware/Malware Activity

Infostealer Malware Campaign Attributed to CoralRaider Exploits CDN Cache

Cybersecurity researchers have attributed an ongoing infostealer malware campaign to a threat actor termed "CoralRaider". CoralRaider is a financially motivated threat actor group of suspected Vietnamese origin known for targeting victims in Asian and Southeast Asian countries. The recent malware campaign has also been seen targeting countries such as the United States (U.S.), Germany, Poland, Japan, and Ecuador, among others.

  • The campaign is designed to deliver infostealer malware including LummaC2, Rhadamanthys, and Cryptbot. The attack begins with a Windows shortcut file, which could be delivered via phishing or malvertising. The shortcut file contains PowerShell commands that grab an obfuscated HTML Application (HTA) file from the CDN cache of an attacker-controlled subdomain to avoid request delays and deceive network defenders. The HTA file contains JavaScript which includes a PowerShell decrypter and loader. The PowerShell loader drops scripts on the victim's machine to evade detection by configuring a Windows Defender exclusions list and bypassing User Access Controls. The PowerShell loader drops the final infostealer payload into the location previously specified to be excluded from Windows Defender scanning. The infostealer malware used in this campaign are recent versions available via malware-as-a-service platforms on underground forums.
  • Attackers behind these infostealers can profit from stolen information such as user credentials, RDP logins, and browser session cookies by selling to other malicious actors to gain initial access.

CTIX analysts will continue to report on novel and evolving malware and associated campaigns.

Threat Actor Activity

Chinese & Russian Hackers Moving Toward Edge Zero-Day Exploits for Increased Detection Evasion

An increase in espionage attacks has led researchers to observe a notable shift in Chinese and Russian hackers' tactical shift towards targeting edge devices like VPN (Virtual Private Network) appliances, firewalls, routers, and Internet of Things (IoT) tools. Previously, it has been common to see hackers targeting employees with malicious phishing emails to gain access to companies; however, last year saw one of the lowest recent volumes of espionage attacks on Windows computers. Instead, a trend towards zero-day vulnerabilities and malware has developed for edge devices.

  • Researchers believe that the current nature of Endpoint Detection and Response (EDR) solutions has reached a level of effectiveness where threat actors would have better odds of avoiding detection by deploying malware on a VPN appliance, for example, as opposed to a Windows computer. This belief is backed by the fact that there was a 50% growth in zero-days used by both espionage groups and financially motivated attackers last year, compared to 2022.
  • Exploiting zero-day vulnerabilities in commonly deployed devices likely allows hackers to remain undetected within systems for longer periods as opposed to more traditional targets like Windows computers with robust EDR solutions, reflecting the trend of stealth and longevity within compromised systems, an emphasis of espionage hacking.
  • Although the exploitation of edge vulnerabilities has become a favored approach for both espionage and criminal activities as a means of staying within a system for longer without being flagged by security solutions, the average "dwell time" in breached systems has also decreased to a record low of roughly ten days, indicating improved detection capabilities and enhanced defense mechanisms against sophisticated threats.

CTIX analysts recommend organizations implement monitoring and detection capabilities to better defend against cyberattacks.

Vulnerabilities

Thousands of CrushFTP Servers May be Vulnerable to the Exploitation of a Patched Vulnerability

UPDATE: Over 1,400 CrushFTP servers exposed to the public internet are at risk due to a critical vulnerability. The flaw, tracked as CVE-2024-4040, is a server-side template injection (SSTI) vulnerability. This vulnerability was previously exploited as a zero-day and allows for a virtual file system (VFS) sandbox escape that can lead to arbitrary file reading and full remote code execution (RCE) on unpatched systems. Security researchers have described the flaw as fully unauthenticated and trivially exploitable, emphasizing its potential to bypass authentication for administrative access, executing code as root.

The issue has drawn significant attention, with cybersecurity firms observing its exploitation in targeted attacks aimed at U.S. organizations, suggesting a politically motivated intelligence-gathering effort. Shodan scans reveal that over 5,000 CrushFTP servers are currently internet-exposed, though it's unclear how many are vulnerable.

Following the vulnerability disclosure and patch release by CrushFTP, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2024-4040 to its Known Exploited Vulnerabilities (KEV) catalog, directing U.S. federal agencies to secure their servers by no later than May 1, 2024. CrushFTP has responded by urging users to update their systems immediately and check frequently for the latest security updates. This situation underscores the importance of timely patching to protect sensitive data and infrastructure from potential cyber threats.

CTIX analysts recommend that CrushFTP administrators ensure that they have updated their infrastructure and conduct an internal investigation for evidence of exploitation if it has not been patched.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More