Ransomware/Malware Activity
Mexican Organizations Targeted with New AllaKore RAT to Conduct Financial Fraud Attacks
A new spear phishing campaign is targeting Mexican financial institutions in order to deliver a new version of the Allakore remote access trojan (RAT). According to researchers, this campaign has been using Mexican Social Security Institute naming conventions and legitimate documents to initiate the payload. To load the malware, the threat actors begin with a zip file that is uploaded to the target network via a phishing email or some other drive-by compromise involving legitimate files. Once loaded and installed Allakore RAT has some of the typical trojan signatures, including the abilities to execute keystroke logging, exfiltrate files, and in some cases take control of a device through privilege escalation. This updated version of Allakore includes additional abilities that specifically target financial and cryptocurrency services, including bringing in and executing additional payloads. Typically, the targets of these attacks are directed at corporations that gross over $100 million annually from a wide variety of sectors, both public and private. This campaign has been seen utilizing Mexico Starlink IP addresses, which combined with the new Spanish instructions within the updated Allakore RAT lead researchers to believe this is a currently unknown Latin American threat actor. Ankura will continue to monitor the evolution of this campaign as it progresses.
Threat Actor Activity
Stealthy Cyber-Espionage Actor Behind NSPX30 Malware Attacks
A previously unknown advanced threat actor tracked as "Blackwood" has recently been discovered using a novel backdoor for adversary-in-the-middle (AitM) attacks. Blackwood has gone undetected for more than half a decade, conducting clandestine cyber-espionage operations going back to 2018. The threat actor utilizes the NSPX30 malware, having code associated with a backdoor from a 2005 campaign called "Project Wood" which was first used to target Hong Kong politicians, eventually evolving into DCM (Dark Specter) in 2008, and then in 2020 developed into NSPX30, where the first sample of the current implant was used in a campaign aligning with Chinese state interests. Blackwood is using a much more sophisticated version of the malware that's unlike its predecessors. The latest version has a multi-stage design, targeting individuals in China, Japan, and the United Kingdom. The malware is delivered by exploiting the software update processes of popular applications like WPS Office (office suite), the Tencent QQ instant messaging platform, and the Sogou Pinyin document editor. NSPX30 primarily serves to collect information from a breached system, but its capabilities extend from data exfiltration to keylogging, evading detection, and packet interception to hide its infrastructure. Among other features, it can also steal chat logs and contact lists from a handful of apps including Tencent QQ, WeChat, Telegram, Skype, CloudChat, RaidCall, YY, and AliWangWang. The group's advanced techniques, particularly their use of AiTM attacks to deliver malware invisibly, highlight the evolving threat landscape and the necessity for organizations to adopt comprehensive cybersecurity measures, including endpoint protection, vigilant network monitoring, and strategic network segmentation. Reach out to CTIX analysts for expert support if your organization requires assistance in bolstering its cybersecurity posture.
Vulnerabilities
Jenkins Server Exploits Under Active Exploitation
Critical vulnerabilities in Jenkins, an open-source automation server widely used in software development, have led to the release of multiple proof-of-concept (PoC) exploits, with reports of active exploitation by attackers. The first most critical flaw, tracked as CVE-2024-23897, stems from args4j command parser's behavior in Jenkins. If exploited, it allows unauthenticated attackers with certain permissions to read data from arbitrary files on the Jenkins server, potentially leading to admin privilege escalation and remote code execution. The second vulnerability, tracked as CVE-2024-23898, is a cross-site WebSocket hijacking flaw, enabling attackers to execute arbitrary CLI commands via maliciously crafted links. Despite the release of patches for these issues by Jenkins, PoC exploits for CVE-2024-23897 have been published online, and researchers have observed actual attacks on Jenkins servers. The situation underscores the importance of timely security updates in protecting against such vulnerabilities. With the PoC exploits being public, any unsophisticated attackers scanning organizations for the Jenkins flaws could copy the scripts and deploy them with very little effort. CTIX analysts recommend that any administrators responsible for their organization's Jenkins implementation ensure that they have installed the most recent updates to prevent exploitation in the future.
- Bleeping Computer: Jenkins Vulnerabilities Article
- Info Security: Jenkins Vulnerabilities Article
- Security Week: Jenkins Vulnerabilities Article
The semi-weekly Ankura Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence pertaining to current or emerging cyber events. The preceding is a collection of cyber threat intelligence leads assembled over the past few days and typically includes high-level intelligence pertaining to recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to reach out to the Flash Team (flash@ankura.com) if additional context is needed.
© Copyright 2023. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.
