ARTICLE
19 September 2024

Ankura CTIX FLASH Update - September 17, 2024

AC
Ankura Consulting Group LLC

Contributor

Ankura Consulting Group, LLC is an independent global expert services and advisory firm that delivers end-to-end solutions to help clients at critical inflection points related to conflict, crisis, performance, risk, strategy, and transformation. Ankura consists of more than 1,800 professionals and has served 3,000+ clients across 55 countries. Collaborative lateral thinking, hard-earned experience, and multidisciplinary capabilities drive results and Ankura is unrivalled in its ability to assist clients to Protect, Create, and Recover Value. For more information, please visit, ankura.com.
A recent malware campaign has been identified that traps users in their browser's kiosk mode on Google's login page, compelling them to enter their Google credentials out of annoyance.
United States Technology

Malware Activity

Malware Locks Browser in Kiosk Mode, Frustrating User into Entering Credentials

A recent malware campaign has been identified that traps users in their browser's kiosk mode on Google's login page, compelling them to enter their Google credentials out of annoyance. The malware locks the browser, disabling the "ESC" and "F11" keys, which prevents users from easily exiting kiosk mode. Kiosk mode is a specialized setting in web browsers or apps that allows them to operate in full-screen mode without standard user interface elements such as toolbars, address bars, or navigation buttons. This mode is intended to restrict user interactions to specific functions, making it perfect for public kiosks. However, in the case of this attack, kiosk mode is misused to confine user actions to the Google login page, presenting the sole option of entering account credentials This tactic aims to frustrate users into entering their credentials and "unlocking" the computer, which are then stolen by the StealC information-stealing malware. This attack method has been active since at least August 22, 2024, and is mainly utilized by Amadey, a malware loader known for information theft and system reconnaissance. Amadey deploys an AutoIt script that scans for available browsers and launches one in kiosk mode directed to Google's change password page. This creates an opportunity for users to reenter and save their credentials, which StealC subsequently steals. If users find themselves trapped in kiosk mode, they should avoid entering any sensitive information and try alternative hotkeys like 'Alt + F4' or 'Ctrl + Shift + Esc' to exit the browser. If these methods fail, performing a hard reset and running a full antivirus scan in Safe Mode is recommended to remove the malware.

Threat Actor Activity

RansomHub Claims Another Victim, Publishing Kawasaki's Stolen Data

Kawasaki Motors Europe is recovering from a recent cyberattack attributed to the RansomHub ransomware gang, which has claimed to have stolen four hundred and eighty-seven (487) gigabytes of data from the company. The attack, which occurred in early September 2024, led to the temporary isolation of Kawasaki's servers as a precautionary measure. The company's IT department, in collaboration with external cybersecurity experts, spent the following week meticulously checking each server for any suspicious material such as malware before reconnecting them back to the corporate network. Thus far, Kawasaki Motors Europe has restored over 90% of its server functionality, ensuring that operations involving motor vehicle dealers, third-party suppliers, and logistics are not significantly impacted. The company, which reported over $3 billion in earnings last quarter, is a major player in the motor vehicle industry, manufacturing motorcycles, utility vehicles, and other motorized products. The cyberattack has drawn further attention to RansomHub, a ransomware gang that has emerged as a significant threat following the dissolution of earlier gangs like LockBit and AlphV. RansomHub has been linked to at least two hundred and ten (210) ransomware attacks on various organizations since launching in February 2024, according to the FBI and other law enforcement agencies. Notable recent victims include Rite Aid, Frontier, Planned Parenthood, Halliburton, and Christie's. The group's tactic involves adding victims to its extortion portal on the dark web, with a timer set to publish stolen data if ransom demands are not met. The timer for Kawasaki was set to expire on Saturday, September 14, 2024. CTIX analysts' own research found that Kawasaki's data has indeed been published on the RansomHub leak site. Despite the severity of the attack, Kawasaki has not publicly commented on whether customer data was included in the stolen files. The company has also not responded to media inquiries about the incident.

Vulnerabilities

Critical Ivanti Vulnerability Under Active Exploitation by Threat Actors

Ivanti has disclosed that a high-severity vulnerability in its Cloud Service Appliance (CSA) is actively being exploited in attacks, prompting action from both the company and federal agencies. The vulnerability, tracked as CVE-2024-8190, allows for remote code execution (RCE) by attackers with administrative privileges and impacts CSA version 4.6, which has reached its end-of-life status. Ivanti has released a patch (CSA 4.6 Patch 519), but strongly advises customers to upgrade to the supported CSA version 5.0, which is not affected by this vulnerability and continues to receive updates. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the flaw to its Known Exploited Vulnerabilities (KEV) catalog, mandating that federal agencies secure vulnerable systems by no later than October 4, 2024. Ivanti also noted that configurations following best practices, such as dual-homed CSA setups, are at a lower risk of exploitation. In addition to addressing this vulnerability, Ivanti has also patched other critical flaws, including a maximum-severity issue in its Endpoint Management software (EPM). The company has ramped up internal scanning, testing, and responsible vulnerability disclosure practices to improve its security response. With its products widely used by over 40,000 companies, including federal agencies, the urgency for upgrading and securing these systems is crucial to prevent further exploitation. CTIX analysts recommend that all administrators responsible for instances of Ivanti Cloud CSA ensure that their platforms are safeguarded against these flaws by patching and following best security practices.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More