USB Devices: Still a Vector
A threat actor group has been seen in the wild utilizing USB devices for the initial infection of targeted systems. Appearing to be financially motivated, UNC4990 has been tracked by Mandiant primarily targeting Italian systems and users through an attack chain enabled by USB devices but propagated by text strings and files stored in uncompromised locations. Initiated by having victims click a malicious LNK file on the USB drive, which is typically used to link to folder structures within Windows. This link is written to emulate the USB drive itself, convincing users that it is a safe object to interact with. Once clicked, the PowerShell script "explorer.ps1" is activated, a known malicious script that downloads malicious payloads including the EMPTYSPACE downloader. This PowerShell script then downloads more resources hosted on GitHub and GitLab. Specifically, a file named “src.txt” is downloaded that contains the control-characters for Tab, Space, and New Line so it appears as a blank text document when opened. This file is later decoded to replace the space characters with 1s, the tab characters with 0s, and the new lines with space characters to create a binary sequence that is actually an array of substrings. Researchers also identified other locations where certain important strings to the process are included in public facing forums such as a Vimeo video description, or a text document hosted on GitHub. Alone, these strings are not harmful, but when placed into the attack chain they become an important part of the execution. By using these trusted third-party sites to host content and strings, it makes it less likely that security services and firewalls will block the connection. After the connection is established, QUIETBOARD is downloaded via EMPTYSPACE as a backdoor. QUIETBOARD allows for the threat actors to execute code and scripts, infect other USB devices to propagate the infection, gather system information, and install crypto miners. This use of USB devices to infect and propagate malware is a very old technique, one that most had thought would be obsolete given modern security technology. UNC4990 has proved that this is not the case. Ankura will continue to monitor this campaign and any advances made.
Threat Actor Activity
Cactus Ransomware Gang Suspected to be Behind Schneider Electric Attack
Schneider Electric, the French multinational energy management and automation giant, suffered a ransomware attack that occurred on January 17th, 2024, affecting the company's Sustainability Business division. The company confirmed in a recent statement that the incident disrupted division specific tools along with their Resource Advisory product, a data visualization tool for sustainability information which was reported to still be suffering from outages earlier this week. Schneider Electric serves organizations across one hundred (100) countries, as well as roughly 30% of all Fortune 500 companies, as reported in 2021, meaning impacts could vary greatly depending on what data the threat actors were able to obtain. The threat actor was not explicitly mentioned in statements made by Schneider Electric, but sources familiar with the situation report that the Cactus ransomware gang is behind the attack that led to the unauthorized access and theft of corporate data. Researchers warned about the Cactus ransomware group using online advertainments to infect victims back in December 2023, and an increase in activity from the group, seeing traces of their ransomware being used in attacks targeting the industrial and engineering industries, impacting their manufacturing and industrial control system (ICS) equipment. The Cactus ransomware operation first appeared in March 2023, the group being hailed as experienced and skilled hackers who are known to partake in double-extortion tactics, demanding ransom payments in order to receive a file decryptor and prevent stolen data from being leaked. The threat actors apparently have terabytes of data but there has been no mention as to the actual scope of data affected nor the nature of such data. The multinational company has been testing the operational capability of the impacted systems and seem optimistic that access will resume shortly.
- Bleeping Computer: Schneider Electric Article
- The Record: Schneider Electric Article
- Dark Reading: Schneider Electric Article
CISA Adds Apple Vulnerability to the KEV
The Cybersecurity and Infrastructure Security Agency (CISA) announced that it has added a previously patched kernel vulnerability to its Known Exploited Vulnerabilities (KEV) catalog. The flaw affects Apple iPhones, Macs, TVs, watches, and is now under active exploitation by threat actors. The vulnerability, tracked as CVE-2022-48618, was discovered by Apple's own security team. The vulnerability was first mentioned in a December 2022 security advisory update on January 9th, without clarity on whether it had been addressed in the past. Successful exploitation allows attackers to bypass Pointer Authentication, a defense against memory corruption exploits, by exploiting an improper authentication vulnerability. Apple has remediated the issue in iOS 16.2 and later versions, as well as in updates for iPadOS, macOS Ventura, tvOS, and watchOS, covering a wide range of devices. Despite the lack of detailed exploitation reports from Apple, CISA has included CVE-2022-48618 in its KEV and mandated that all U.S. Federal Civilian Executive Branch (FCEB) agencies must apply patches by no later than February 21, 2024. CTIX analysts recommend that all Apple product and service users ensure that their devices are running the most up-to-date software version. This directive comes as Apple also patches another zero-day bug exploited in attacks, highlighting the ongoing threat landscape for Apple devices and software.
The semi-weekly Ankura Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence pertaining to current or emerging cyber events. The preceding is a collection of cyber threat intelligence leads assembled over the past few days and typically includes high-level intelligence pertaining to recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to reach out to the Flash Team (email@example.com) if additional context is needed.
© Copyright 2023. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.