ARTICLE
8 November 2024

Ankura CTIX FLASH Update - November 5, 2024

AC
Ankura Consulting Group LLC

Contributor

Ankura Consulting Group, LLC is an independent global expert services and advisory firm that delivers end-to-end solutions to help clients at critical inflection points related to conflict, crisis, performance, risk, strategy, and transformation. Ankura consists of more than 1,800 professionals and has served 3,000+ clients across 55 countries. Collaborative lateral thinking, hard-earned experience, and multidisciplinary capabilities drive results and Ankura is unrivalled in its ability to assist clients to Protect, Create, and Recover Value. For more information, please visit, ankura.com.
A new Ransomware operation named "Interlock" has been attacking organizations worldwide, publishing data allegedly stolen from six (6) organizations since September 2024. Researchers have discovered Interlock.
United States Technology

Ransomware/Malware Activity

Interlock Ransomware Targets FreeBSD Servers

A new Ransomware operation named "Interlock" has been attacking organizations worldwide, publishing data allegedly stolen from six (6) organizations since September 2024. Researchers have discovered Interlock variants built to encrypt FreeBSD servers, an operating system that is not usually targeted in ransomware operations. Experts speculate that Interlock targets FreeBSD because it is widely utilized in servers and critical infrastructure. Interlock engages in double extortion attacks: both encrypting critical systems and demanding ransom to suppress publication of stolen data. Interlock targets Windows as well as FreeBSD operating systems, clearing Windows event logs and self-destructing after encrypting files. Files encrypted by the ransomware are appended with a ".interlock" extension and a ransom note named "!___README___!.txt" is left in directories instructing victims on how to access a Tor site for payment negotiations. Interlock's operations are relatively new, and there is still much to uncover about the threat actor's tactics, techniques, and procedures. CTIX analysts will continue to report on new and emerging form of malware and associated campaigns.

Threat Actor Activity

FBI Tracking Down Threat Actors Exploiting Edge Networking Devices

The FBI has sought public assistance in identifying individuals behind a series of intrusions involving compromised edge devices in both public and private sectors. These intrusions have been linked to Chengdu-based researchers and their collaboration with Chinese government agencies, utilizing vulnerabilities in Sophos products, including CVE-2020-12271, to install malware like Asnarök. The FBI's request follows detailed reports from Sophos, highlighting years-long surveillance and espionage campaigns targeting critical infrastructure in South and Southeast Asia, with some incidents affecting Europe and the United States. Chinese nation-state groups such as Volt Typhoon have targeted edge devices like routers and firewalls, exploiting them as operational relay boxes (ORBs) for obfuscating activities and conducting espionage. These devices are attractive targets due to their power, constant connectivity, and role in network infrastructure, making them ideal for both direct espionage and indirect attacks. The series of reports Sophos released were labelled "Pacific Rim", detailing its ongoing conflict with Chinese threat actors over the past five (5) years. As stated in the report, these actors have increasingly targeted networking devices worldwide, including those from Sophos, exploiting vulnerabilities to install custom malware for network monitoring, credential theft, and proxy server operations. The attacks have impacted products from several well-known manufacturers, such as Fortinet, Cisco, and Sophos, and have been attributed to groups like Volt Typhoon, APT31, and APT41/Winnti. Sophos began confronting these threats in 2018 when its subsidiary, Cyberoam, was targeted, marking the start of focused attacks on network devices. These actors have advanced their techniques to include memory-only malware and sophisticated persistence methods, using compromised devices as proxy networks to evade detection. Sophos has countered by deploying custom implants on known compromised devices, gathering intelligence on the threat actors, including the deployment of a UEFI bootkit.

Vulnerabilities

Google AI Tool Finds Critical Vulnerability in SQLite that was Missed by Fuzzing

Google's experimental AI framework, Big Sleep (formerly Project Naptime) and a collaborative effort between Google Project Zero and DeepMind has achieved a breakthrough by uncovering a previously unknown, exploitable vulnerability in the widely-used SQLite open-source database. This zero-day memory safety flaw, which results from a stack buffer underflow that could lead to crashes or arbitrary code execution, was found by analyzing recent code commits before it reached an official release, ensuring user safety. Traditional fuzzing, which tests software by feeding random or invalid data to trigger errors, failed to detect the issue, underscoring Big Sleep's potential as an advanced cybersecurity tool. Big Sleep leverages a large language model (LLM) to simulate human-like reasoning and code comprehension, allowing it to navigate codebases, run sandboxed Python scripts, and debug vulnerabilities with remarkable efficiency. This AI-driven approach specifically aids in identifying vulnerability variants (modifications of previously known flaws) which account for a significant portion of zero-day exploits but often evade traditional tools. Despite the success, Google notes that results are experimental and suggests that targeted fuzzers still play a critical role in vulnerability research. However, this AI breakthrough highlights the potential of LLMs to help defenders stay ahead of attackers by identifying and fixing vulnerabilities before they can be exploited, representing a promising step forward in proactive cybersecurity. CTIX analysts will continue to report on critical vulnerabilities and the efforts taken to defend against their exploitation.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More