This browser is not actively supported anymore. For the best passle experience, we strongly recommend you upgrade your browser.

Social Media Links

| 6 minutes read

Ankura CTIX FLASH Update - April 22, 2022

Ransomware/Malware Activity

LemonDuck Botnet Leveraged in Cryptomining Attack Campaign

LemonDuck, a known cryptomining botnet, is currently engaged in an ongoing attack against Docker APIs on Linux servers. LemonDuck gains access through exposed Docker APIs and then runs a malicious container to download a Bash script disguised as a PNG file. Using a Linux cronjob, the payload downloads the Bash file which then goes on to kill processes of competing cryptomining groups and syslog daemons, delete known IOC file paths, stop command-and-control (C2) connections to competitors, and disable the Alibaba Cloud monitoring service. The removal of competing cryptomining groups and removing as many IOCs as possible is an excellent strategy to maximize available resources while also creating an environment to spend as much time as possible in before being discovered. After the system is reformatted, the cryptomining software XMRig is downloaded, and crypto mining begins. LemonDuck generally then attempts to continue lateral movement through SSH keys found in the infected device to further propagate throughout the network. Docker recommends following the best practices guidelines for secure Docker API setup along with setting resource consumption limits. Ankura will continue to monitor LemonDuck’s current campaign and any future campaigns that may come to light.

FBI Warns of Ransomware Attacks Against Critical Infrastructure in Agriculture

The Federal Bureau of Investigation warned that ransomware attacks against agricultural organizations are more likely in the coming harvest and planting seasons. In a time of global food instability due to the ongoing Russian invasion of Ukraine, such attacks against the US agricultural sector could further cause food supply-chain disruptions. Examples of attacks already committed against the agricultural sector in the US include six (6) grain cooperatives in fall 2021 during harvest season and already in 2022, two (2) attacks against companies that provide seed, fertilizer, and logistics. Specifically, the malware Lockbit 2.0 was utilized in at least one of these attacks, while other pieces of malware utilized included Conti, BlackMatter, Suncrypt, and BlackByte. Ankura will continue to monitor threats towards US critical infrastructure, including global food supply chains.

Threat Actor Activity

Lapsus$ Compromises T-Mobile, Extorts Company Source Code

Security researchers at KrebsOnSecurity have unveiled threat actor communications claiming that Lapsus$ compromised T-Mobile several times throughout March 2022. Lapsus$ actors claim they have exfiltrated T-Mobile source code for a variety of company projects but did not target any customers of the mobile phone carrier. Historically, Lapsus$ is one of the key threat groups known for data extortion, holding stolen data for ransoms of various amounts. Recently, the group was found to be exfiltrating data and source code from major technology corporations including NVIDIA, Microsoft, and Samsung. Conversations between threat actors reveal that Lapsus$ will often purchase compromised company systems on Russian-affiliated dark web marketplaces prior to their attacks. Lapsus$ members continuously targeted T-Mobile employees with malicious campaigns to gain access to internal company tools and execute hassle-free SIM swap attacks, changing the mobile device number that controlled device access. With successful intrusion, Lapsus$ actors were able to intercept text messages and phone calls, as well as password reset links and multi-factor authentication one-time-passwords. This access allowed Lapsus$ threat actors to successfully exfiltrate data from T-Mobile systems and hold it for an undisclosed ransom. CTIX will continue to monitor the fallout of this compromise and will provide additional information as it becomes available.

TeamTNT Threat Actors Target AWS Systems

The TeamTNT cybercrime organization has been expanding and upgrading their warehouse of malicious scripts and payloads to target Amazon Web Services (AWS). These newly modified programs are crafted meticulously to target AWS systems but can also be deployed on-site, in containers, or on various additional Linux instances. TeamTNT payloads are intended to deploy and exfiltrate credentials from compromised systems in addition to mining cryptocurrency, establishing persistence, and moving laterally within a network. Additionally, TeamTNT actors are modifying these scripts to lessen detection by lowering the CPU power draw from 100% to 70%, evading some security alerting rules for malicious activity. The capabilities of the scripts TeamTNT deploys shows the adaptability of threat organizations into modernized environments including AWS, Kubernetes, Docker, and many more. With the continuous advancement of threat actor capabilities, CTIX analysts urge security practitioners and IT departments to establish and modify security rules within network defenses to lessen the chance of system compromise from threat actors.


Android Vulnerabilities Lead to Remote Code Execution

Security researchers from Check Point Technologies have identified critical vulnerabilities in the lossless audio compression coding format used in certain Android devices that if exploited, could allow attackers to elevate privileges, execute arbitrary code remotely, and pilfer sensitive data. Specifically, the flaws affect Android devices using chipsets built by the chip manufacturing giants Qualcomm and MediaTek. These vulnerabilities are located in the open-source Apple Lossless Audio Codec (ALAC), which preserves all the original audio data even after the file has been compressed. Although the details about the flaws won't be fully released until presentation at the CanSecWest security conference in May 2022, researchers have explained that an attacker can send maliciously crafted audio files to vulnerable users and socially engineer them into opening the file, causing the file to execute. This ability to perform remote code execution (RCE) means that attackers could potentially steal target device data to send back to their command and control (C2) infrastructure, as well as modify hardware configuration settings, and ultimately perform a complete takeover of the device, all with no required user interaction. According to Qualcomm and MediaTek, the vulnerabilities are out-of-bound read/writes and improper audio input validation. RCE flaws in audio codecs are very common, but due to the fact that most are closed-source for security reasons, they are very difficult for even sophisticated hackers to exploit. ALAC presents more of a risk because it is open to the public. These flaws were patched in Android's December 2021 security update and users are urged to ensure they are at least running that version to defend from these specific exploits. For users running devices that no longer receive automatic updates, it is recommended to install a third-party Android distro that does receive regular updates.

Cisco Umbrella Virtual Appliance Vulnerability Allows for Theft of Admin Credentials

Security updates have been released that patch a critical vulnerability in the Cisco Umbrella Virtual Appliance (VA), which if exploited, could allow unauthenticated attackers to steal sensitive administrator credentials, giving them complete access to on-premise virtual machines (VM). Cisco Umbrella is a cloud DNS security architecture which defends against attacks by using the virtual appliances as conditional DNS nodes that safely handle and authenticate DNS data. The flaw, tracked as CVE-2022-20773, is caused by the utilization of a static SSH host key, which an attacker could exploit by conducting a man-in-the-middle attack on an Umbrella VA SSH tunnel. Once the key is captured, the attacker can authenticate, allowing them to dig much deeper, learning administrator credentials which would allow them to lock out the actual users, and change device configurations to send data back to a location of their choosing, or reload the appliance to perform malicious tasks outside of its intended functionality. Although this vulnerability is critical, SSH is not enabled by default on Umbrella VA machines, meaning that the scale of the potential fallout is greatly reduced. Cisco urges all Umbrella VA administrators to upgrade to the latest stable patch immediately since there are no workarounds or mitigations other than disabling SSH entirely. Cisco has stated that there is currently no publicly available proof-of-concept (PoC) exploit, and there is also no evidence that this vulnerability has been successfully exploited in-the-wild. CTIX team members will continue to follow this vulnerability and will provide updates if needed.

The Ankura semi-weekly Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence pertaining to current or emerging cyber events. The following is a collection of cyber threat intelligence leads assembled over the past few days and typically include high-level intelligence pertaining to recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to reach out to Flash ( if additional context is needed.

© Copyright 2022. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.


cybersecurity & data privacy, data & technology, data privacy & cyber risk, cyber response, memo, f-distress, f-risk

Let’s Connect

We solve problems by operating as one firm to deliver for our clients. Where others advise, we solve. Where others consult, we partner.

I’m interested in

I need help with