Thousands of Ukrainian Computers Compromised by PurpleFox Malware
The Ukrainian Computer Emergency Response Team (CERT-UA) has reported on a recent attack campaign that infected at least 2,000 computers within Ukraine with PurpleFox malware. PurpleFox is a malware that utilizes a rootkit to hide itself inside a device and continue to exist while also acting as a downloader for more malicious activity. Additionally, PurpleFox can utilize infected devices to act as nodes in a botnet that can then be leveraged for successive DDoS attacks. PurpleFox has been used by threat actors since 2018 through a variety of configurations, including through malicious applications masquerading as legitimate services and worms that self-propagate. CERT-UA has stated that the PurpleFox malware in this attack is likely infecting devices through MSI installers that contain PurpleFox. PurpleFox has the ability to self-propagate across systems and typically uses known exploits for this, so keeping operating systems patched can severely hamper PurpleFox’s ability to infect new systems. Additional analysis by CERT-UA has shown that there are many command-and-control (C2) servers associated with this PurpleFox campaign located in China, providing many IOCs to monitor. While potentially insidious, CERT-UA published methods to remove PurpleFox from infected systems, despite its use of a rootkit. CTIX analysts will continue to monitor the situation of hacking campaigns involving PurpleFox and those that take place in active conflict zones.
Threat Actor Activity
Interpol Operation Helps Dismantle Global Cybercrime Infrastructure
An international law enforcement operation involving sixty (60) agencies across fifty-five (55) countries has significantly impacted cybercrime by taking down over 1,300 command and control (C2) servers. Led by Interpol and code-named Synergia, the operation ran from September to November 2023, targeting servers linked to ransomware campaigns, phishing attacks, and malware distribution. The takedown of these C2 servers marks a major victory in combating cyber threats, as it disrupts the ability of threat actors to communicate with infected devices. These servers are crucial to the attackers' infrastructure, managing the delivery of malicious payloads and the execution of commands. By taking them offline, most malicious activities are effectively halted. In addition to disabling servers, law enforcement conducted thirty (30) house searches, leading to the arrest of thirty-one (31) individuals and the confiscation of electronic devices. Interpol also identified seventy (70) additional suspects involved in cybercrime activities such as phishing, banking malware, and malware distribution. While Interpol has indicated they uncovered significant cybercrime groups as part of this ongoing investigation, specific details have not been disclosed. The majority of the compromised C2 servers were located in Europe, with others found in Singapore, Hong Kong, South Sudan, Zimbabwe, and Bolivia. This coordinated effort represents a substantial disruption to cybercriminal operations and is a proactive measure toward securing the digital ecosystem.
Leaky Vessels Vulnerabilities Could Allow Attackers to Gain Unauthorized Access to Host OS
The vulnerabilities collectively known as "Leaky Vessels" represent a series of four (4) security flaws discovered in November 2023 by Snyk security researcher Rory McNamara. If exploited, the vulnerabilities could allow hackers to bypass container isolation mechanisms and gain unauthorized access to the host operating system. These vulnerabilities, identified as CVE-2024-21626, CVE-2024-23651, CVE-2024-23652, and CVE-2024-23653, affect the runc and Buildkit components widely used in container management software like Docker and Kubernetes. Although there is currently no evidence of active exploitation, the potential risks mandated urgent advisories for system administrators to update their systems. The flaws range from an order-of-operations bug to inadequate privilege checks, each presenting unique threats to containerized environments. Fixes were coordinated among the affected projects and released on January 31, 2024, with Docker, AWS, Google Cloud, Ubuntu, and others issuing updates and security bulletins to mitigate the risks. This incident highlights the importance of time-sensitive vulnerability management, especially given the potential for widespread impacts that vulnerabilities in fundamental infrastructure components can cause across the cloud computing landscape. CTIX analysts recommend that all system administrators ensure that their infrastructure is up-to-date.
The semi-weekly Ankura Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence pertaining to current or emerging cyber events. The preceding is a collection of cyber threat intelligence leads assembled over the past few days and typically includes high-level intelligence pertaining to recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to reach out to the Flash Team (email@example.com) if additional context is needed.
© Copyright 2023. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.