Malware Activity
"Mallox" Ransomware Increases Activity in 2023 by 174%
Researchers have published a new report on the "Mallox" ransomware, which has had a 174% increase in activity compared to the second half of 2022. Mallox (otherwise known as "TargetCompany" and "FARGO") has been active since June 2021 and typically targets Microsoft Windows systems by exploiting unsecured Microsoft SQL servers. Mallox has historically targeted organizations in various industries around the globe, with a majority involved in "manufacturing, professional and legal services, and wholesale and retail." Researchers detailed that the ransomware has been utilizing dictionary brute force attacks (using a list of common passwords against their target), data exfiltration, and network scanners in their recent campaign. Mallox uses double extortion techniques, which consist of exfiltrating data prior to encrypting files on the victim machine and threatening to publish the data on their leak site if the demanded ransom is not paid. Various members of the Mallox operation have been observed recruiting on popular hacking forums to expand their Mallox ransomware-as-a-service (RaaS) affiliate program, specifically in May 2022 and January 2023. As the Mallox operation continues to grow and gain activity, administrators are urged to ensure all internet-facing applications are secured and up-to-date. Additional technical details as well as indicators of compromise (IOCs) can be viewed in the report linked below.
Threat Actor Activity
North Korean Hackers Reportedly Breach JumpCloud
A sophisticated threat organization tied to the North Korean state has reportedly compromised systems within the cloud-based IT management provider JumpCloud. Threat actors were able to gain access to the company’s infrastructure through a meticulously crafted spear phishing campaign against company employees. Based on indicators of compromise provided to security researchers, several indicators were noted as malicious including a major web hosting server IP address known for its usage by multiple threat groups. While the malicious hosting IP address is benign by itself, security researchers noted one (1) domain on this hosting address that matched a suspicious domain captured on JumpCloud networks. The suspected domain also shared an SSL (Secure Sockets Layer) certificate with another suspicious domain which could potentially disclose some information about the threat actor(s). Paired with other indicators and malicious artifacts, security analysts have medium-high confidence that the attack originated from Lazarus Group, a well-established North Korean hacking team responsible for numerous cyberattacks. Lazarus hackers appear to have targeted JumpCloud systems for financial benefit, potentially hoping to gather intelligence on the company's cryptocurrency clientele to steal their digital assets. CTIX continues to monitor fallout from the JumpCloud compromise and will provide additional updates accordingly.
Vulnerabilities
CISA Adds ColdFusion Authentication Bypass Vulnerabilities to the KEV
Two (2) critical vulnerabilities in Adobe's ColdFusion product have been added to the U.S. Cybersecurity and Infrastructure Security Agency's (CISA) Known Exploited Vulnerabilities (KEV) catalog, mandating that all Federal Civilian Executive Branch (FCEB) agencies patch the flaws no later than August 10, 2023. ColdFusion, a high-performance application server for developing and deploying web applications, is a rapid scripting environment for creating dynamic internet applications using the ColdFusion Markup Language (CFML). The first vulnerability, tracked as CVE-2023-29298, is an improper access control flaw allowing unauthenticated threat actors to bypass security and access the ColdFusion Markup (CFM) and ColdFusion Component (CFC) endpoints with no need for victim interaction. After Adobe patched CVE-2023-29298, researchers stated that they had identified a trivial workaround of the patch (now tracked as CVE-2023-38205), allowing the attackers to bypass security and achieve the same goal. These vulnerabilities were chained with two (2) deserialization of untrusted data flaws tracked as CVE-2023-29300/CVE-2023-38203 to conduct remote code execution (RCE), installing webshells on vulnerable ColdFusion servers to gain backdoor remote access to infrastructure. These vulnerabilities are being actively exploited in-the-wild, and CTIX analysts urge all ColdFusion developers and administrators to become compliant in installing the patched version of the software immediately.
- The Hacker News: Adobe ColdFusion Vulnerabilities Article
- Bleeping Computer: Adobe ColdFusion Vulnerabilities Article
- Bleeping Computer: CISA Advisory Article
- Rapid7: Adobe ColdFusion Vulnerabilities Report
Honorable Mention
Intelligence Nominee, Timothy Haugh, Warns About AI Threats to Upcoming Election
Timothy Haugh, who currently serves as deputy commander of US Cyber Command, made aware his concerns over generative artificial intelligence (AI) as the country approaches its upcoming election cycle. Haugh has experience dealing with election threats, having recently co-led a joint task force with the National Security Agency (NSA) that focused on protecting the midterm election from foreign hackers. During his second nomination hearing as the nominee to lead US Cyber Command and the NSA, he told the Senate Armed Services Committee that this election cycle will be slightly different than most others in the past, and we must consider the role generative AI will play. Generative AI is a technology that can take a user's text prompt inputs in order to output new, authentic-looking content. Such tools have been a growing concern, especially among senior national security officials who are worried about the threats they pose when used for malicious purposes. Jen Easterly, the Director of the Cybersecurity and Infrastructure Security Agency (CISA) went so far as to call generative AI the greatest issue they foresee being dealt with over this century. Such technologies as this have their practical uses, but they're also conveniently available to be leveraged by malicious actors, cybercriminals, and nation states. Foreign threats to the ballot box are not a new concept, but generative AI will likely make this election cycle much more challenging for those looking to uphold its integrity.
The semi-weekly Ankura Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence pertaining to current or emerging cyber events. The preceding is a collection of cyber threat intelligence leads assembled over the past few days and typically includes high level intelligence pertaining to recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to reach out to the Flash Team (flash@ankura.com) if additional context is needed.
© Copyright 2023. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.
