Ransomware/Malware Activity
New Method of DLL Hijacking Circumvents Windows Detection
A new Dynamic Link Library (DLL) search order hijacking technique has come to light that allows threat actors to execute arbitrary code on devices that run Windows 10 and Windows 11 within the Windows folder. DLL search order hijacking works by manipulating the sequence that applications use components such as DLLs and executables that may not have been included in the installation package of the application. By injecting code into a targeted process, the threat actor can successfully execute the code in an environment that is classified as safe and trusted so it is less likely to be captured by security tools. Cybersecurity firm Security Joes states in their report that the malicious code is run using a trusted binary under the folder WinSxS (Windows Side by Side). By targeting processes in the WinSxS folder, researchers managed to create more efficient DLL hijacking due to the unique properties of the folder. There are no privilege escalation requirements needed to run the code as the elevated privileges already exist in the WinSxS folder, and threat actors can use the existing trusted binaries in the folder to execute their code to avoid introducing their own binaries that could be more easily detected by security services. This creates a scenario where the OS believes it is executing a trusted application in a trusted environment which is subject to much less scrutiny. Researchers at Security Joes successfully demonstrated a proof of concept of this technique by inserting a custom DLL into the designated directory that mimicked the name of another uncompromised DLL that the researchers knew would be targeted by a specific binary. Once executed, the binary discovered the custom DLL and loaded that instead of the uncompromised DLL. CTIX analysts will continue to monitor developments of this new technique and industry responses to this new threat.
Threat Actor Activity
Upwards of $85 Million in Cryptocurrency Stolen from Orbit Chain
Orbit Chain, a blockchain platform designed to function as a multi-asset hub based out of South Korea, suffered a security breach that led to the theft of an estimated $85 million worth of cryptocurrency, particularly Ether, USD Coin, Dai, and Tether. Blockchain intelligence platforms reported the company's balance instantly dropping from $115 million to $29 million on the night of December 31, 2023, caused by the unauthorized transactions of a series of drain attacks performed by currently unidentified hackers. While the identity and origin of the threat actor, along with the nature of the exploit leveraged remain unknown, the attack looks to be carried out by a sophisticated state-sponsored hacker, possibly based out of North Korea. Orbit Chain is working with the Korean National Police Agency and KISA (Korea Internet & Security Agency), which specializes in North Korean (DPRK) threats, along with other foreign and domestic law enforcement agencies to investigate the matter. As an additional effort to track down the hackers and recover the funds, the South Korea-based company is coordinating with other global cryptocurrency exchanges to freeze stolen assets that come across their infrastructure. Orbit Chain is also warning its community about the presence of scammers using verified accounts on X to promote phishing sites for the repayment of lost funds. Blockchain threats had a massive presence in 2023, with $295 million from 320k victims being stolen from wallet drainers like Inferno Drainer and MS Drainer. North Korean hackers themselves have reportedly stolen up to $2 billion worth of cryptocurrency in support of the North Korean government's initiatives.
Vulnerabilities
11 million SSH Servers Still Vulnerable to Terrapin Exploitation
Almost 11 million internet-exposed SSH servers are vulnerable to the exploitation of a vulnerability known as Terrapin, which compromises the integrity of SSH connections. The flaw, tracked as CVE-2023-48795, targets both SSH clients and servers. It works by manipulating sequence numbers during the handshake process, affecting connections using encryption modes like ChaCha20-Poly1305 or CBC with Encrypt-then-MAC. This vulnerability allows attackers to downgrade public key algorithms for user authentication, disabling defenses against keystroke timing attacks in OpenSSH 9.5. For the attack to be successful, the attacker must be in an adversary-in-the-middle (AiTM) position to intercept and modify the handshake exchange. The nearly 11 million vulnerable SSH servers represent approximately 52% of all samples in the IPv4 and IPv6 space. These vulnerable systems are predominantly located in the United States, but are also found in China, Germany, Russia, Singapore, and Japan. The scale of unpatched devices hints to the potential widespread impact of Terrapin attacks. While not every exposed server is immediately at risk, the large number of vulnerable servers provides a substantial target pool for threat actors. The Terrapin researchers who first identified the vulnerability at Ruhr University Bochum in Germany have provided a vulnerability scanner for assessing the susceptibility of SSH clients and servers to Terrapin attacks. Technical details of the attack can be found in the report linked below. CTIX analysts recommend that organizations ensure that they have patched this flaw and take the necessary steps to identify all vulnerable instances across their infrastructure.
- Ruhr University Bochum: Terrapin Attack Report
- The Hacker News: Terrapin Attack Article
- Ars Technica: Terrapin Attack Article
The semi-weekly Ankura Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence pertaining to current or emerging cyber events. The preceding is a collection of cyber threat intelligence leads assembled over the past few days and typically includes high-level intelligence pertaining to recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to reach out to the Flash Team (flash@ankura.com) if additional context is needed.
© Copyright 2023. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.