ARTICLE
25 October 2024

Ankura CTIX FLASH Update - October 22, 2024

AC
Ankura Consulting Group LLC

Contributor

Ankura Consulting Group, LLC is an independent global expert services and advisory firm that delivers end-to-end solutions to help clients at critical inflection points related to conflict, crisis, performance, risk, strategy, and transformation. Ankura consists of more than 1,800 professionals and has served 3,000+ clients across 55 countries. Collaborative lateral thinking, hard-earned experience, and multidisciplinary capabilities drive results and Ankura is unrivalled in its ability to assist clients to Protect, Create, and Recover Value. For more information, please visit, ankura.com.
Cybercriminals have allegedly breached Comsecure, an Israeli distributor of ESET's software and cybersecurity products, to send phishing emails to Israeli organizations containing data...
United States Technology

Ransomware/Malware Activity

ESET Distributor Breached, Data Wipers Sent to Israeli Organizations

Cybercriminals have allegedly breached Comsecure, an Israeli distributor of ESET's software and cybersecurity products, to send phishing emails to Israeli organizations containing data wiping malware disguised as cybersecurity software. The phishing campaign began on October 8th, when emails from the legitimate eset[.]co[.]il domain were sent to Israel-based customers from ESET's "Advanced Threat Defense Team". The phishing emails warned that the recipient had recently been targeted by government-backed attackers and offers the recipient a link to download an advanced cybersecurity tool: "ESET Unleashed". The link directs users to the legitimate eset[.]co[.]il domain which hosts a ZIP archive containing four DLL files digitally signed by ESET's code signing certificate along with an executable "Setup.exe" that is not signed. "Setup.exe" is the data wiper, designed to delete all the files off of a victim's computer while corrupting the partition table to make data recovery difficult. ESET released a statement on October 18th, 2024, noting that the company was "...aware of a security incident which affected our partner company in Israel last week". ESET's announcement states that a "limited malicious campaign was blocked within ten minutes", and that their customers are secure. As of the time of this writing, the attack has not yet been attributed to a specific threat actor. CTIX analysts will continue to report on new and emerging forms of malware and associated campaigns.

Threat Actor Activity

China's Spamouflage Campaign Targeting U.S. Senator Marco Rubio

The Chinese disinformation campaign known as Spamouflage has honed its focus on U.S. Senator Marco Rubio, employing new tactics to test the effectiveness of its influence operations. Researchers from Clemson University have observed Spamouflage targeting Rubio's X account, marking a shift from their 2022 strategy, which involved flooding social media with supportive but poorly crafted content. This historical approach aims to drown out genuine messages and create noise that makes it difficult for real discourse to be heard - to sweep an unflattering topic under the rug. In their latest efforts, Spamouflage has shifted to using more authentic-looking hijacked accounts to spread anti-Rubio content across platforms such as X, Reddit, and Medium. The content is notably well-written, potentially leveraging AI or large language models (LLMs) to create material. This evolution in tactics away from boosting narratives suggests an alignment with Russian disinformation strategies, focusing on creating divisions and highlighting U.S. domestic issues. Senator Rubio, a known critic of China, has acknowledged the increasing aggression of China's information operations, stressing the importance of addressing these efforts. Researchers warn against underestimating China's sophistication in conducting influence campaigns, emphasizing the nuanced and complex nature of their operations.

Vulnerabilities

Critical Vulnerabilities in Multiple Major End-to-End Encrypted Cloud Storage Platforms Impact Tens of Millions of People

Cybersecurity researchers from ETH Zurich uncovered significant cryptographic vulnerabilities in several major end-to-end encrypted (E2EE) cloud storage platforms, including Sync, pCloud, Icedrive, Seafile, and Tresorit, collectively used by over 22 million people. These flaws allow attackers to inject, tamper with, or access user data by exploiting a compromised server. The vulnerabilities include unauthenticated key material, encryption protocol downgrades, and metadata manipulation, which compromise file confidentiality, integrity, and user security. Specific weaknesses, such as Sync's exposure of shared passwords and key injection issues, pCloud's encryption tampering, and Icedrive's unauthenticated CBC encryption, make these systems vulnerable to attackers, including nation-state actors and skilled hackers. Despite these concerns, Tresorit fared relatively better, with issues confined to metadata and public key handling, though improvements are planned for 2025. While Icedrive declined to address the identified flaws, other providers have begun responding, with some issues already patched. This research underscores the gap between the security claims of E2EE platforms and the real-world risks they face, highlighting the need for stronger cryptographic safeguards across the industry. CTIX analysts will continue to report on new and novel vulnerabilities to keep our readers informed about the potential threats to their data.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More