Ankura CTIX FLASH Update - February 27, 2024

Malware Activity

Banking Trojans are on the Rise Targeting Latin America and Europe

Cybersecurity researchers have observed an uptick in email phishing campaigns designed to deliver banking trojans to victims primarily in Latin America and Europe. Three (3) trojans in particular: Astaroth (Guildma), Mekotio, and Ousaban (Javali) are misusing Google's Cloud Run service to distribute the malware. Google Cloud Run is a managed computing platform that enables customers to build and deploy webservices in Google Cloud. Threat actors are weaponizing Google Cloud Run due to its trusted nature; many organizations will not prevent internal systems from accessing Google platforms. Cybersecurity researchers have been tracking the rise of these phishing campaigns since the Fall of 2023. There are many commonalities between the malware families which all use the same storage bucket in Google Cloud for propagation and malicious Microsoft Installers (MSIs) as droppers for the final malware payload. The phishing campaigns appear to originate predominately from systems in Brazil using emails that are largely written in Spanish. The phishing emails sometimes purport to be from a local tax agency, and are likely to contain invoices, financial documents, or tax documents. The links included in the phishing email will direct to run[.]app, which delivers the ZIP archive containing a malicious MSI file to the victim. In some cases, researchers have observed redirects from the run[.]app site to legitimate sites like google[.]com to evade detection. The final banking trojan payload is designed to steal the victim's credentials to financial institutions. The malware achieves this by tracking the victim's web browsing activity, logging keystrokes, and taking screenshots of the victim's device. CTIX analysts will continue to report on novel strains and new trends in malware campaigns.

The Hacker News: Banking Trojans Article
• CISCO TALOS: Banking Trojans Report

Threat Actor Activity

LockBit Restores Servers and Calls for Attacks on The US Government

UPDATE: Five (5) days after an international law enforcement's "Operation Cronos" shut down the LockBit ransomware gang's servers, the threat actor appears to have resurfaced on the dark web using new infrastructure. Law enforcement was said to have taken down thirty-four (34) of the threat actor's servers that hosted their data leak website and its mirrors, as well as cryptocurrency addresses, decryption keys, and the affiliate panel. The group, however, has successfully moved its data leak site to a new ".onion" address, with their relaunched data leak site showing previously known victims with countdown timers running for publishing stolen information along with a handful of new victims. The LockBit administrator also released a lengthy message under a mock-up FBI leak on their site detailing their negligence leading to the breach by law enforcement, which they collectively refer to as the FBI, along with their continued plan for ongoing operations. Part of it acknowledged that laziness led to their admin and chat panel servers and blog server running outdated versions of PHP with a critical vulnerability tracked as CVE-2023-3824 which is what they believe law enforcement exploited to breach their infrastructure. It was also stated by the admin that LockBit's ransomware attack on Fulton County in January is the reason "the FBI" hacked their infrastructure because "the stolen documents contain a lot of interesting things and Donald Trump's court cases that could affect the upcoming US election." In response, the threat group called for an increase in attacks on the ".gov sector" and US government in general. Additionally, the admin said the decryptors that law enforcement obtained were "unprotected decryptors" that didn't have the "maximum decryption protection" and were typically only used by low-level affiliates who made smaller ransoms of just $2,000. The group stated that it will increase its security and start manually releasing decryptors to make its infrastructure more difficult to hack, and that it will start offering rewards to anyone who finds vulnerabilities in its current infrastructure. This is speculated as an attempt to restore the threat actor's credibility, but only time will tell. CTIX will continue to release the latest updates about the developing situation.

Bleeping Computer: LockBit Article
• The Hacker News: LockBit Article

Vulnerabilities

Critical Vulnerabilities Patched in the Linux Kernel Impacting the KSMBD File Server

Two (2) critical vulnerabilities in the Linux kernel, affecting the KSMBD file server module designed for interoperability with Windows systems, were recently identified and patched. KSMBD is a Linux kernel server implementing the SMB3 protocol in kernel space for sharing files over a network. These flaws, tracked as CVE-2024-26592 and CVE-2024-26594, pose significant risks to Linux systems by allowing for remote code execution (RCE) and information disclosure, respectively. The first vulnerability (CVSS score of 9/10) could allow attackers to execute arbitrary code at the kernel level due to a race condition in managing TCP connections. The second (CVSS score of 9.3/10) could lead to sensitive information leaks via incorrect validation of SMB2 authentication tokens. These vulnerabilities highlight the critical role of the KSMBD module in facilitating high-speed file sharing between Linux and Windows systems, while simultaneously drawing attention to the potential dangers associated with such extensive system integration. Identified by a researcher affiliated with Trend Micro's Zero Day Initiative, the swift patching of these vulnerabilities by the Linux community reflects the ongoing commitment to securing open-source infrastructure. CTIX analysts strongly advise Linux system administrators with KSMBD enabled to update their systems immediately to prevent the exploitation of these vulnerabilities.

Security Onlie: Linux Kernel Vulnerabilities Article

Malware Activity

Banking Trojans are on the Rise Targeting Latin America and Europe

Cybersecurity researchers have observed an uptick in email phishing campaigns designed to deliver banking trojans to victims primarily in Latin America and Europe. Three (3) trojans in particular: Astaroth (Guildma), Mekotio, and Ousaban (Javali) are misusing Google's Cloud Run service to distribute the malware. Google Cloud Run is a managed computing platform that enables customers to build and deploy webservices in Google Cloud. Threat actors are weaponizing Google Cloud Run due to its trusted nature; many organizations will not prevent internal systems from accessing Google platforms. Cybersecurity researchers have been tracking the rise of these phishing campaigns since the Fall of 2023. There are many commonalities between the malware families which all use the same storage bucket in Google Cloud for propagation and malicious Microsoft Installers (MSIs) as droppers for the final malware payload. The phishing campaigns appear to originate predominately from systems in Brazil using emails that are largely written in Spanish. The phishing emails sometimes purport to be from a local tax agency, and are likely to contain invoices, financial documents, or tax documents. The links included in the phishing email will direct to run[.]app, which delivers the ZIP archive containing a malicious MSI file to the victim. In some cases, researchers have observed redirects from the run[.]app site to legitimate sites like google[.]com to evade detection. The final banking trojan payload is designed to steal the victim's credentials to financial institutions. The malware achieves this by tracking the victim's web browsing activity, logging keystrokes, and taking screenshots of the victim's device. CTIX analysts will continue to report on novel strains and new trends in malware campaigns.

The Hacker News: Banking Trojans Article
• CISCO TALOS: Banking Trojans Report

Threat Actor Activity

LockBit Restores Servers and Calls for Attacks on The US Government

UPDATE: Five (5) days after an international law enforcement's "Operation Cronos" shut down the LockBit ransomware gang's servers, the threat actor appears to have resurfaced on the dark web using new infrastructure. Law enforcement was said to have taken down thirty-four (34) of the threat actor's servers that hosted their data leak website and its mirrors, as well as cryptocurrency addresses, decryption keys, and the affiliate panel. The group, however, has successfully moved its data leak site to a new ".onion" address, with their relaunched data leak site showing previously known victims with countdown timers running for publishing stolen information along with a handful of new victims. The LockBit administrator also released a lengthy message under a mock-up FBI leak on their site detailing their negligence leading to the breach by law enforcement, which they collectively refer to as the FBI, along with their continued plan for ongoing operations. Part of it acknowledged that laziness led to their admin and chat panel servers and blog server running outdated versions of PHP with a critical vulnerability tracked as CVE-2023-3824 which is what they believe law enforcement exploited to breach their infrastructure. It was also stated by the admin that LockBit's ransomware attack on Fulton County in January is the reason "the FBI" hacked their infrastructure because "the stolen documents contain a lot of interesting things and Donald Trump's court cases that could affect the upcoming US election." In response, the threat group called for an increase in attacks on the ".gov sector" and US government in general. Additionally, the admin said the decryptors that law enforcement obtained were "unprotected decryptors" that didn't have the "maximum decryption protection" and were typically only used by low-level affiliates who made smaller ransoms of just $2,000. The group stated that it will increase its security and start manually releasing decryptors to make its infrastructure more difficult to hack, and that it will start offering rewards to anyone who finds vulnerabilities in its current infrastructure. This is speculated as an attempt to restore the threat actor's credibility, but only time will tell. CTIX will continue to release the latest updates about the developing situation.

Bleeping Computer: LockBit Article
• The Hacker News: LockBit Article

Vulnerabilities

Critical Vulnerabilities Patched in the Linux Kernel Impacting the KSMBD File Server

Two (2) critical vulnerabilities in the Linux kernel, affecting the KSMBD file server module designed for interoperability with Windows systems, were recently identified and patched. KSMBD is a Linux kernel server implementing the SMB3 protocol in kernel space for sharing files over a network. These flaws, tracked as CVE-2024-26592 and CVE-2024-26594, pose significant risks to Linux systems by allowing for remote code execution (RCE) and information disclosure, respectively. The first vulnerability (CVSS score of 9/10) could allow attackers to execute arbitrary code at the kernel level due to a race condition in managing TCP connections. The second (CVSS score of 9.3/10) could lead to sensitive information leaks via incorrect validation of SMB2 authentication tokens. These vulnerabilities highlight the critical role of the KSMBD module in facilitating high-speed file sharing between Linux and Windows systems, while simultaneously drawing attention to the potential dangers associated with such extensive system integration. Identified by a researcher affiliated with Trend Micro's Zero Day Initiative, the swift patching of these vulnerabilities by the Linux community reflects the ongoing commitment to securing open-source infrastructure. CTIX analysts strongly advise Linux system administrators with KSMBD enabled to update their systems immediately to prevent the exploitation of these vulnerabilities.

Security Onlie: Linux Kernel Vulnerabilities Article

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.