Ransomware/Malware Activity
Ransomware Group ALPHV Attacks Florida International University
The CTIX-monitored ransomware group ALPHV (aka Black Cat) has claimed their latest educational institution victim: Florida International University (FIU). ALPHV uses a highly versatile ransomware uniquely developed in the Rust programming language to extract and encrypt their victim’s data. The group has posted on their shaming site that they exfiltrated approximately 1.2 terabytes (TBs) of FIU data, including the personal information of an undisclosed number of students and staff. The FUI data contains, but is not limited to, Social Security numbers (SSNs), contacts, contracts, financial and account documents, email databases, and about 300 gigabytes (GBs) of SQL databases. By the morning of April 8, 2022, a small portion of screenshots of this data had been shared on the ALPHV site as proof of life. FIU is now the eighth publicly reported US university or college to fall victim to ransomware this year, and the third attacked by the ALPHV ransomware group. CTIX Analysts will continue to track and monitor the ALPHV threat group and report on additional attacks as the group develops further.
Automotive Manufacturer Snap-on Discloses Data Breach After Conti Leaks Files
Snap-on, a leading automotive tools manufacturer and designer based in the United States, recently suffered a data breach following the publishing of exfiltrated files by the Conti ransomware gang. Snap-on is mainly utilized by the transportation industry, specifically by Mitchelle1, Norbar, Blackhawk, Blue-Point, and Williams brands. In Snap-on's data breach notification letter, the company revealed that unusual activity was detected in early March and that, after conducting an investigation, "personal data of our Snap-on people was taken by an unauthorized third party between March 1 and March 3, 2022." Snap-on also explained that the "personal data" involves "associate and franchise data" including names, Social Security numbers (SSNs), dates of birth, and employee identification numbers. While Snap-on did not disclose the unauthorized third-party, the Conti gang itself claimed responsibility for the data breach on March 16, 2022, via a post on their leak site titled "Snap-on Incorporated." The group began publishing one (1) gigabyte (GB) of exfiltrated data, but the posting was removed from the leak site before completion. We are unaware of any agreement between Snap-on and Conti, but note that when a post is removed after some data has been leaked, it often means that the victim has paid the demanded ransom for the removal. CTIX analysts will continue to monitor for additional fallout from this data breach.
Threat Actor Activity
Catfishing Campaign by AridViper Targets Israeli Officials
Israeli officials are being targeted in a catfishing campaign code named “Operation Bearded Barbie” that is being leveraged by AridViper (APT-C-23), a group suspected of affiliation with Hamas. Over the past months, AridViper actors have selected their targets specifically with the end goal of compromising their device(s), establishing persistent espionage modules, and exfiltrating sensitive information from the victim. Threat actors are crafting elaborate backstop personas, most often as young females, in order to lure the victim into a romantic conversation. Once communication was established, the threat actor persona attempts to move the conversation to WhatsApp, where the victim would be sent a malware-laced sexual video. Once downloaded, the malware establishes persistence on the system, allowing the exfiltration of device information including files, archives, media, and more. Successes in this catfishing campaign have compromised individuals within the emergency services, military, and law enforcement sectors. CTIX continues to urge users to validate any suspicious communications for integrity before downloading any files or clicking any hyperlinks to lessen the chance for threat actor compromise.
Sandworm Threat Actors Target Ukrainian Power Substations
Ukrainian energy companies are being targeted by Russian-linked threat actors with newly modified malware variants "Industroyer ICS," and "CaddyWiper." In recent days, threat actors from the Sandworm threat organization have targeted several high voltage power substations and deployed Industroyer ICS to compromise the substation, followed by CaddyWiper deployment on Windows-based systems and other payloads on Linux-based systems. Security researchers have noticed that the wipers utilized in this campaign have the capability to move laterally within the network, compromising additional assets of the substations. Once the malware is deployed on the system, a tasking is scheduled on the system for file destruction. Attacks on Ukraine's power substations were identified by security teams and were stopped by government officials shortly after detection, lessening the potential impact of the attack. Security teams also noted a suspicious attack timeline due to the attack occurring around the time they were decommissioning components of their internal infrastructure. CTIX will continue to monitor the situation and will provide additional information accordingly.
Vulnerabilities
JekyllBot:5 Vulnerability Poses Threat to Medical Facilities
Researchers of IoT security at Cynerio have discovered five (5) high severity vulnerabilities in autonomous robots operating in hospitals. These vulnerabilities, known as “JekyllBot:5”, affect the Aethon TUG autonomous robots that move equipment and food autonomously throughout medical facilities. This autonomous capability means that these robots have access to potentially restricted parts of facilities, as well as having access to patient information. Additionally, the onboard camera used to help the robots navigate can also be compromised, leading to the ability to surveil inside these facilities. Leveraging these vulnerabilities could allow an attacker to take control of the robot, remotely piloting it to potentially surveil an area or intentionally cause physical damage. The vulnerability is related to a lack of authorization and identity checks, which enables new admin users to be added to the system without authentication. Once access to the TUG portal is granted, threat actors have the ability to move laterally across the medical facility network, causing a greater breach and the ability for more malware to be deployed. Firmware patches have already been deployed by the vendor to counter these specific vulnerabilities, but the incident raises questions about the increasing use of IoT in medical facilities. CTIX analysts will continue to monitor vulnerabilities for medical devices in the IoT field as these kinds of vulnerabilities continue to evolve.
NGINX Zero-Day Flaw Allows Attackers to Bypass Authentication
The cybersecurity firm F5 has identified and disclosed a critical zero-day vulnerability that affects the multi-cloud architecture NGINX Web Server. The flaw was first reported on by a cybersecurity group known as “BlueHornet,” after they tweeted about an experimental exploit for NGINX version 1.18. This vulnerability exists in the Lightweight Directory Access Protocol (LDAP) Reference Implementation. While LDAP doesn't typically interact much with NGINX, there is an LDAP-auth daemon written in Python that runs parallel to NGINX, which communicates with LDAP authentication servers for users of proxied applications by NGINX. This is where the weakness lies, and if exploited, an attacker could send maliciously crafted HTTP request headers to override set configurations, and/or bypass user group memberships. These exploitation techniques force LDAP to authenticate the user, regardless of the status of their privileges. Although this is a critical vulnerability, new research shows that it only works under three (3) specific conditions: First, when command-line parameters are used to configure the Python daemon; second, when there are unused, optional configurations; and third, when the LDAP authentication depends on specific group membership. Further research also showed that this only affects the LDAP reference implementation and does not impact NGINX Open Source and NGINX Plus. There is currently no hard evidence that this flaw was exploited In-the-Wild; however, BlueHornet has alleged that the Chinese branch of UBS Securities and Royal Bank of Canada were breached, though neither claim has been verified. Although this is a zero-day, LDAP attacks are not uncommon, and administrators should have contingencies and mitigations for dealing with them as part of their standard security measures. The CEO of Viakoo, an enterprise IoT security platform, recommended that, “organizations running LDAP need to encrypt traffic using TLS certificates on IoT devices, have automated mechanisms to update IoT device firmware, and ensure the IoT device passwords are updated regularly and follow corporate policies.” The Ankura CTIX urges any NGINX-proxied application administrators, and NGINX Web Server maintainers to mitigate this vulnerability immediately using whatever mitigation technique is best for their specific environment.
Honorable Mention
NB65 Ransomware Group Leverages Conti Ransomware Against Russia Entities
Nearly a month after the Conti ransomware group's source code was leaked, a group of hackers known as "NB65" have begun launching campaigns in Russia using Conti's ransomware. Contrary to Conti's pro-Russian stance, the NB65 group has stated they will onlytarget entities in Russia. Conti, as well as many other ransomware groups, typically exclude Russian organizations from their potential targets due to the country being a safe harbor for threat actors targeting government adversaries. NB65's first targets include the document management operator Tensor, Russian space agency Roscosmos, and the state-owned Russian Television and Radio broadcaster VGTRK. Following the VGTRK breach, the group published what they allege is a full list of VGTRK business contacts on Twitter. NB65 claimed they stole 786.2 gigabytes (GB) of data, including 900,000 emails and 4,000 files, which appeared on the dark web Distributed Denial of Secrets website. Towards the end of March, victims of the group began to experience ransomware attacks as well. The ransomware was soon uploaded to VirusTotal, which detected it as Conti. While not exactly the same code, Intezer Analyze was able to determine 66% of the code is similar to Conti's ransomware. When the ransomware is deployed, it encrypts files using the unique extension ".NB65" and drops a ransom note. The note includes a thank you to Conti for giving them easy access to ransomware and states the group, "modified the code in a way that will prevent you from decrypting it with [Conti's] decryptor." NB65 stated they will continue attacks against Russian entities until "Russia ceases all hostilities in Ukraine and end this ridiculous war."
The Ankura semi-weekly Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence pertaining to current or emerging cyber events. The following is a collection of cyber threat intelligence leads assembled over the past few days and typically include high-level intelligence pertaining to recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to reach out to Flash (flash@ankura.com) if additional context is needed.
© Copyright 2022. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.
