Malware Activity
BiBi-Linux Wiper Variant "BiBi-Windows Wiper" Identified
Researchers have discovered "BiBi-Windows Wiper", a Windows-based variant of the "BiBi-Linux Wiper" malware targeting systems in cyberattacks aimed at Israel by a pro-Hamas hacktivist group. Researchers noted that the original Linux-based malware is an x64 ELF executable that currently lacks obfuscation or protective measures. The malware is able to "specify target folders and can potentially destroy an entire operating system if run with root permissions." Additionally, BiBi-Windows Wiper deletes all shadow copies from the system and is multithreaded for increased speed. The Windows variant being established quickly after the Linux-based wiper leads researchers to believe that the campaign is expanding to target end user machines as well as application servers. Researchers emphasized that the current campaign is primarily centered around Israeli IT and government sectors and tactical overlaps between "the hacktivist group, who call themselves Karma, and another geopolitically motivated actor codenamed Moses Staff" were identified. The current infection vectors of both BiBi wipers are currently unknown. Indicators of compromise (IOCs) as well as additional technical details can be found in the report linked below.
- The Hacker News: BiBi-Windows Article
- BlackBerry: BiBi-Windows Wiper Report
- The Hacker News: BiBi-Linux Wiper Article
- Security Joes: BiBi-Linux Wiper Report
Threat Actor Activity
New “Hunters International” Ransomware Group Observed Using Hive's Source Code and Infrastructure
After being shut down by the Federal Bureau of Investigation (FBI) and other international law enforcement agencies in January of 2023, the notorious Hive ransomware group appears to have sold their source code and infrastructure to a new ransomware group called Hunters International. The now-dismantled Hive Ransomware-as-a-Service (RaaS) operation had an estimated 1,500 targets worldwide, amassing upwards of $100 million in ransom payments and being known to target hospitals, school districts, and financial institutions since their founding in June of 2021. The threat actors associated with the emerging Hunters International have been working to dispel speculations about them being a rebrand of Hive, letting it be known that they purchased the source code and websites from the previous developers to benefit the kick-off of Hunters International's own pursuits in the threat landscape business. Upon analyzing the group's operations, researchers have found Hunters International's ransomware code to be noticeably more simplistic, having "reduced the number of command line parameters, streamlined the encryption key storage process, and made the malware less verbose compared to earlier versions." Having five (5) victims already, it appears that Hunters International is aligning themselves to be a more data exfiltration centric group with less of a focus on data encryption. While there's a significant advantage to having a mature toolkit in their possession, it's unclear what the future holds for Hunters International as well as whether they'll be able to prove their competence. CTIX analysts will continue to monitor relevant threat actor developments and provide updates as operations evolve.
Vulnerabilities
Cl0p Threat Actors Exploit Critical Vulnerability in SysAid
Cl0p threat actors, otherwise known as TA505 or Lace Tempest, have been observed actively exploiting a zero-day vulnerability in SysAid, a comprehensive IT Service Management (ITSM) solution, to infiltrate corporate servers and deploy ransomware. The vulnerability, tracked as CVE-2023-47246, is a path traversal flaw that leads to remote code execution (RCE). The compromise was discovered on November 2, 2023, when attackers breached on-premise SysAid servers. Once successfully exploited, attackers upload a Web Application Resource (WAR) archive containing a webshell to the SysAid Tomcat web service, enabling the malicious activity. This includes executing PowerShell scripts, injecting GraceWire malware into legitimate processes, and avoiding detection by security products like Sophos. SysAid released a report detailing the attack mechanism and the steps taken by the threat actor, including data exfiltration and log deletion to cover their tracks. They also deployed additional scripts for Cobalt Strike listener access on compromised hosts. SysAid has since patched the flaw, and CTIX analysts urge all administrators and maintainers responsible for on premise SysAid servers to update to the latest version immediately. Administrators are also advised to inspect servers for any signs of compromise. SysAid's report provides indicators of compromise (IOCs), including filenames, hashes, IP addresses, file paths, and attacker commands to help detect or prevent intrusions.
- Bleeping Computer: CVE-2023-47246 Article
- The Record: CVE-2023-47246 Article
- SysAid: CVE-2023-47246 Report
The semi-weekly Ankura Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence pertaining to current or emerging cyber events. The preceding is a collection of cyber threat intelligence leads assembled over the past few days and typically includes high-level intelligence pertaining to recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to reach out to the Flash Team (flash@ankura.com) if additional context is needed.
© Copyright 2023. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.
