Malware Activity
Fluhorse Android Malware Used to Steal 2FA Codes, Credentials, and Credit Card Information
Fortinet has provided updated information regarding Fluhorse, a malware that first emerged in May 2023 designed to steal two-factor authentication codes along with a multitude of other information types. Fluhorse, which was first identified last month by Check Point, is used to steal credentials, credit card information, and two-factor authentication codes received through SMS. This is accomplished by imitating Android applications from ETC and VPBank Neo, popular toll apps in East Asia, or through large-scale phishing campaigns over email. What makes this malware unique is the fact that it uses Flutter, an open-source software development kit (SDK) that helps build applications compatible with Android, iOS, Linux, and Windows. The malicious code is directly integrated with the Flutter SDK, with the latest version of Fluhorse now incorporating packing and obfuscation techniques to further hide its intent. This is an upgrade over previous versions of the malware, showing that this is an evolving threat with increasing sophistication. Once installed, Fluhorse uses the Dart Telephony package, an open-source code that enables the malware to listen to incoming SMS messages. The malware then posts the incoming SMS to a remote website in order to harvest two-factor authentication codes coming in. Ankura will continue to monitor the evolution of Fluhorse and the indicators of compromise associated with it.
Threat Actor Activity
Threat Profile: 8Base Ransomware
Threat actors from the relatively unknown 8Base ransomware organization have become increasingly active over the past several weeks, ransoming several organizations and leaking data on their public leak forum. The 8Base ransomware group is a year-old "name-and-shame" organization that often threatens its victims with immediate data leakage if their ransom demands are not promptly fulfilled. 8Base threat actors have exploited companies on a global scale primarily focused on the finance, healthcare, hospitality, legal, and information technology industries. When exploiting their targets, 8Base actors will often deploy a variant of the Phobos ransomware and/or SmokeLoader malware downloader delivered primarily through social engineering techniques. While 8Base remains its own threat group, there are some significant similarities between the group and another destructive ransomware group known as RansomHouse. These alignments are seen in several different areas including a near-identical ransomware note on compromised systems alongside identical welcome page messages, Terms of Service statements, and frequently asked questions (FAQ) sections on the public leak forum. While there are some differences that can be observed between the two ransom groups, these factors indicate the medium-high confidence that 8Base is a sub-organization or rebrand of RansomHouse. CTIX continues to monitor threat actor activity worldwide and will provide additional updates accordingly.
Vulnerabilities
More than 200,000 WordPress Sites Vulnerable to Privilege Escalation
Automattic's "WP[.]cloud" and "Pressable[.]com" platforms have identified a trend in rogue accounts present on WordPress websites stemming from the active exploitation of a critical privilege escalation vulnerability in the WordPress plugin Ultimate Member. Ultimate Member is a plugin allowing site administrators to add new profiles, define roles, and create member directories with ease. The technical details of the flaw, tracked as CVE-2023-3460, are being withheld for now, but WPScan, WordPress's security firm states that the flaw is caused by a component called User Meta Update Handler, with a specific conflict between Ultimate Member's blocklist logic and WordPress's metadata keys. Ultimate Member stores privileged metadata keys in blocklists that validate if users attempting to create new accounts are authorized to register those keys. This exploitation allows unauthenticated attackers to trick Ultimate members into allowing them to update the metadata keys storing user roles and permissions. This allowed the attackers to register administrative user accounts, giving themselves full reign to the compromised sites. The maintainers of the plugin quickly patched the vulnerability, however, WPScan researchers were able to circumvent the update in multiple ways. The Ultimate Member plugin is very popular, with over 200,000+ active installations, giving it a CVSS score of 9.8/10. At this time there are no patches, countermeasures, or workarounds, and site owners and administrators are urged to disable the plugin and monitor their site for suspicious or malicious activity. If this vulnerability cannot be completely patched, it may be advisable for site owners to replace the Ultimate Member plugin with an alternative solution. CTIX analysts will continue to monitor the activity surrounding this flaw and may release an update in the near future.
Honorable Mention
Federal ADPPA Private Right of Action Balancing Act
As lawmakers on Capitol Hill debate the way forward for federal privacy regulation, many are using a current Illinois law to weigh the potential pros and cons of replicating it on a federal level. The law known as the Biometric Information Privacy Act (BIPA) pertains to companies collecting the biometric identifiers of Illinois residents, such as their fingerprints, faceprints, or iris scans, and requires such companies to alert applicable residents and obtain their consent in writing. The law was passed in 2008 and has a powerful clause allowing private citizens to sue companies for privacy violations. A proposed private right of action provision in the federal American Data Privacy and Protection Act (ADPPA), would allow the same rights for private citizens to sue companies for privacy violations but in regard to federal privacy laws. This was an impending obstacle in advancing the bill to the House or Senate floor last year despite having overwhelming bipartisan backing. On one side, privacy activists don't want to support a bill that doesn't include a powerful private right of action. They have suggested that state and federal agencies lack the bandwidth to bring on their own lawsuits, or sometimes it may be the case that some agencies have been "captured" by the industry, leaving citizens without a means of meaningfully enforcing privacy violations. However, big tech and other companies strongly opposed the private right of action element of the bill because of the high likelihood for such a provision to be abused by plaintiff attorneys. Such cases have been seen where individual plaintiffs have been able to successfully win big settlements under Illinois' BIPA law. While privacy activists see it as necessary to protect basic privacy rights and businesses see it as a provision that encourages unfair litigation, lawmakers are seeking a way to scale back the private right of action element of ADPPA and make it more business-friendly. ADPPA's time will come when Congress will look for a way to balance the complex tradeoff between individuals' basic rights to privacy and the ability for businesses to function without expensive and potentially exploitative lawsuits.
The semi-weekly Ankura Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence pertaining to current or emerging cyber events. The preceding is a collection of cyber threat intelligence leads assembled over the past few days and typically includes high level intelligence pertaining to recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to reach out to the Flash Team (flash@ankura.com) if additional context is needed.
© Copyright 2023. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.
