ARTICLE
18 December 2024

Ankura CTIX FLASH Update - December 13, 2024

AC
Ankura Consulting Group LLC

Contributor

Ankura Consulting Group, LLC is an independent global expert services and advisory firm that delivers end-to-end solutions to help clients at critical inflection points related to conflict, crisis, performance, risk, strategy, and transformation. Ankura consists of more than 1,800 professionals and has served 3,000+ clients across 55 countries. Collaborative lateral thinking, hard-earned experience, and multidisciplinary capabilities drive results and Ankura is unrivalled in its ability to assist clients to Protect, Create, and Recover Value. For more information, please visit, ankura.com.
Cybersecurity researchers have identified a new form of malware linked to an Iranian threat actor that targets IOT and OT/SCADA systems used by critical infrastructure...
United States Technology

Malware Activity

New IOCONTROL Malware Targets IOT Devices and OT/SCADA Systems

Cybersecurity researchers have identified a new form of malware linked to an Iranian threat actor that targets IOT and OT/SCADA systems used by critical infrastructure in Israel and the United States. Dubbed IOCONTROL, the malware targets devices including routers, programmable logic controllers (PLCs), and fuel management systems among others. IOCONTROL is allegedly linked to CyberAv3ngers, an Iranian hacking group known for attacking industrial control systems. IOCONTROL has been found in Gasboy and Orpak fuel management system infections, although it is unknown how the malware was planted on the systems. The malware is stored in the "/usr/bin/" directory as "iocontrol" and uses a script "S93InitSystemd.sh" to maintain persistence on the infected device. IOCONTROL uses MQTT protocol for command-and-control communications (C2) and resolves C2 domains via DNS over HTTPS. The malware is capable of reporting system details, running OS commands, self-deleting, and running port scans. Once installed in a fuel management system, IOCONTROL could control pumps or payment terminals, leading to disruption of services and potentially data theft. Researchers note that the malware's modular nature makes it capable of compromising many different types of devices. Threat actors claimed to have compromised 200 gas stations in Israel and the U.S. on Telegram last year and researchers report that new campaigns have emerged this year. CTIX analysts will continue to report on new and emerging forms of malware and associated campaigns.

Threat Actor Activity

Europol Operation Shuts Down Twenty-Seven DDoS Sites Ahead of Christmas Holiday

An international law enforcement initiative coordinated by Europol and involving fifteen (15) countries has successfully dismantled twenty-seven (27) DDoS-for-hire services, known as "booters" or "stressers." These platforms, which utilize botnets on compromised devices to launch distributed denial-of-service (DDoS) attacks, have been taken offline. The operation, codenamed Operation PowerOFF, also resulted in the arrest of three (3) administrators in France and Germany and identified 300 users of these services. The crackdown targeted websites including zdstresser[.]net, orbitalstress[.]net, and starkstresser[.]net, which enabled cybercriminals and hacktivists to flood online services with junk traffic, rendering them inaccessible. This action is part of a broader effort to combat cybercrime, especially during the peak holiday season when such attacks can cause significant disruption to online shopping and business operations. The Dutch Politie also prosecuted four (4) individuals for conducting hundreds of DDoS attacks. Meanwhile, the U.S. Department of Justice has indicted two (2) individuals associated with the booter services. Europol noted that motivations for these attacks range from economic sabotage and financial gain to ideological reasons. The operation's timing ahead of the Christmas period was strategic, given the holiday season's history as a peak period for disruptive DDoS attacks. A surge of nearly 6 million DDoS attacks were reported in the third quarter of 2024—50% more than the same period last year. The banking and financial services sector was the most targeted, exacerbated by global geopolitical tensions and the use of powerful botnets.

Vulnerabilities

WordPress Plugin "Hunk Companion" Vulnerability Exploited to Covertly Install Malicious Plugins

A critical vulnerability in the Hunk Companion plugin for WordPress is being actively exploited by attackers to install and activate outdated or vulnerable plugins, exposing websites to severe threats such as remote code execution (RCE), SQL Injection, cross-site scripting (XSS), and the creation of backdoor admin accounts. Affecting versions prior to 1.9.0, this flaw, tracked as CVE-2024-11972 (CVSS 9.8/10), allows unauthenticated POST requests to bypass permission checks and install plugins, including the abandoned WP Query Console plugin, which contains an unpatched zero-day RCE flaw (CVE-2024-50498, CVSS 10/10). Threat actors use this exploit to execute malicious PHP code, tamper with site files, and maintain persistent access through PHP droppers. WPScan discovered the vulnerability while investigating a WordPress site infection and noted that the flaw is a patch bypass for a similar vulnerability fixed inadequately in version 1.8.5. Although a security update was released in version 1.9.0, over 8,000 sites remain unprotected, highlighting the urgency for users to update immediately. This chain of exploitation underscores the critical importance of securing all WordPress components, especially third-party plugins, which are frequently targeted as entry points by attackers. CTIX analysts recommend that all affected site administrators who have yet to install the patch do so immediately to prevent future exploitation.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More