Malware Activity
Malicious Rocket Alerting Application Discovered Targeting Israeli Android Users
Researchers have discovered threat actors targeting rocket alerting applications and creating malicious versions to target Israeli Android users. As of October 13, 2023, over 5,000 rockets have been launched into Israel following the Hamas attacks that began on October 7, 2023. The app "RedAlert - Rocket Alerts" was developed by Elad Nava to allow individuals to receive "timely and precise alerts about incoming airstrikes" and has been downloaded over 1 million times. A malicious Google Android Application (APK) of the "RedAlert - Rocket Alerts" application has been identified on a malicious website (created on October 12, 2023) impersonating the legitimate site. Researchers noted that an iOS application is also shown on the website but refers users to the legitimate iOS application. The fraudulent Android application acts as spyware and requests permissions to access contacts, account information, call logs, SMS, and an overview of installed apps. The following information is currently collected by the APK: device details (SIM data, network type, country, PIN status, voicemail number, etc.), full contact list, list of accounts associated with the device, logged-in email and app accounts, list of installed apps, and all phone calls and conversation details for incoming, outgoing, missed, rejected, and blocked calls. The exfiltrated data is sent to a hardcoded IP address and researchers did not attribute the fraudulent application to a specific threat group at this time. The malicious application also includes anti-analysis capabilities that begin once the app is started by the victim. Researchers have also been observing multiple threat groups choosing sides in the conflict. The Pro-Palestinian hacktivist group AnonGhost has been observed targeting Israeli users since the Hamas attacks began by allegedly exploited a vulnerability in the application "Red Alert: Israel" by Kobi Snir. This has allegedly allowed them to "intercept requests, expose servers and APIs, and send fake alerts to some app users, including a message that a 'nuclear bomb is coming'." AnonGhost has also claimed to have attacked additional applications, including "RedAlert" by Elad Nava. CTIX analysts are continuously monitoring this ongoing conflict and will provide updates relating to cyber movement when applicable.
- Bleeping Computer: Fraudulent RedAlert App Article
- Cloudflare: Fraudulent RedAlert App Report
- Cyber News: Red Alert App Exploited Article
Threat Actor Activity
AvosLocker Ransomware Attacks on Critical Infrastructure are On the Rise
The US Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) recently released a joint cybersecurity advisory regarding the continued emergence of ransomware-as-a-service (RaaS) operations. The report also detailed the AvosLocker ransomware gang's linkage to attacks targeting the critical infrastructure sectors in the US. The AvosLocker group uses their own ransomware variant that is believed to have emerged in mid-2021 and affects Windows, Linux, and VMware ESXi environments with capabilities such as disabling antivirus protections and evading other detection measures. AvosLocker affiliated attacks are notorious for their living-off-the-land (LotL) tactics, which decreases traces left behind and increases the difficulty of attributing attacks. Another common technique seen being used to compromise organizations' networks is the use of legitimate software, utilities, and tools (i.e., FileZilla, Rclone, Chisel, and Ligolo) for data exfiltration and tunneling activities. Further aspects of AvosLocker attacks include the use of Cobalt Strike and Silver for command-and-control (C2), Mimikatz and Lazagne for credential theft, and custom PowerShell and Windows Batch scripts for lateral movement, privilege escalation, and disarming security software. A new component observed in recent AvosLocker affiliated attacks is an executable that masquerades as a network monitoring tool but is actually used by the threat actor as a reverse proxy to connect to the host from outside the victim's network. Agencies like CISA and the FBI have released heightened concerns about RaaS operations, like those conducted by AvosLocker and others, because of the influx over the last year where novice cybercriminals have a lowered the barrier of entry into illicit activities with the ability to use sophisticated tools and tactics against high profile targets.
Vulnerabilities
ICS Routers Vulnerable to Exploitation Giving Attackers Admin Control of Exploited Devices
The Chinese IoT and video surveillance solutions manufacturer Milesight has reported the active exploitation of certain industrial routers produced by the company that could allow attackers to access sensitive router components. The flaw, tracked as CVE-2023-43261, affects the UR-series 3G/4G/5G industrial cellular routers, and exposes system log files that contain administrator passwords like "‘httpd.log". The passwords could be identified and easily cracked by unauthenticated threat actors to gain administrative access to the vulnerable devices. Although according to Milesight, only several hundred internet-exposed routers are vulnerable, exploitation could allow attackers to pivot into the Industrial Control System (ICS) networks. This could potentially give them access to "industrial automation, self-service kiosks, traffic lighting, smart grid assets, medical equipment, and retail infrastructure." A working proof-of-concept (PoC) exploit has been made public by the researcher who identified the flaw. The vulnerability has been patched and CTIX analysts recommend that any administrators responsible for networks leveraging these devices should ensure that they are running the most up-to-date firmware to prevent future exploitation.
The semi-weekly Ankura Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence pertaining to current or emerging cyber events. The preceding is a collection of cyber threat intelligence leads assembled over the past few days and typically includes high level intelligence pertaining to recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to reach out to the Flash Team (flash@ankura.com) if additional context is needed.
© Copyright 2023. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.
