Ransomware/Malware Activity
XSS Attacks Impact Millions
A new threat group going by the name “ResumeLooters” has used a series of SQL injections and cross-site scripting (XSS) attacks targeting dozens of jobs listing sites, retail sites, and even real estate websites to extract personal data from millions of people. Primarily targeting Asia and Australia, the threat actors exfiltrated individuals’ names, emails, phone numbers, and other personal information. ResumeLooters used a variety of tools including SQLmap and Acunetix, both of which are used to detect and exploit SQL injection flaws automatically. After using these common tools to identify their targets, the threat actor injected scripts into the website’s HTML. It has been noted that occasionally the injection of the HTML scripts is done improperly and poorly, even to the point of showing up on the website itself and making it obvious that there has been an attempted attack. However, when the injection is done correctly, the new HTML code will display a phishing form that steals user information. ResumeLooters has also been seen using some more novel techniques, such as posting fake resumes to the job boards that contain the XSS scripts themselves. The combination of poorly implemented attacks and the inability to cover their tracks effectively gives the impression of a new group that is conducting low hanging fruit attacks for financial gain, which is reinforced by the fact that the data stolen has been sold by two (2) Chinese-speaking Telegram accounts. CTIX analysts will continue to monitor the evolution of ResumeLooters and their abilities.
Threat Actor Activity
Volt Typhon Stays Silent in US Critical Infrastructure during Long-Term Espionage Operation
Volt Typhoon, a People's Republic of China (PRC) state-sponsored cyber-espionage group, has stealthily infiltrated critical infrastructure networks within the United States, evading detection for an estimated five (5) years. This sophisticated group has primarily concentrated efforts on the communications, energy, transportation, and water/wastewater sectors, and is the same threat actor responsible for espionage attacks during summer 2023 in Guam and other militarily important parts of the U.S. The PRC hackers are especially known for their living off the land (LOTL) techniques and their attacks against critical infrastructure that are set up for follow-on attacks to cause physical harm and critical process disruptions. A concern of Volt Typhoon's long-term presence in these networks is their presumed strategy to execute disruptive actions, potentially in response to military conflicts or geopolitical tensions with the U.S. The group often maintains their foothold in environments by exploiting network appliance vulnerabilities and using stolen credentials, allowing them to conduct extensive espionage and gather intelligence on Operational Technology (OT) systems. The FBI's recent disruption of the KV-botnet malware, a tool used by Volt Typhoon to obscure their operations, signals a critical countermeasure against the group's covert activities. Among heightened risks and increased concerns from top U.S officials, the FBI, NSA, and CISA, along with allied Five Eyes agencies, have released an advisory aimed at helping organizations identify and mitigate the risks posed by Volt Typhoon's tactics.
- Bleeping Computer: Volt Typhoon Article
- The Record: Volt Typhoon Article
- CISA: Volt Typhoon Joint Advisory
Vulnerabilities
Flaw Patched in Open-Source Linux Bootloader "Shim"
A critical vulnerability, tracked as CVE-2023-40547, was discovered in the Shim Linux bootloader, posing a significant security risk by allowing attackers to execute code and gain control of a system before the kernel loads, effectively bypassing security mechanisms. Shim, maintained by Red Hat and used for the Secure Boot process with UEFI systems, is essential for verifying the boot process integrity, particularly for loading the GRUB2 bootloader. Discovered by Microsoft's Bill Demirkapi, the flaw exists in Shim's handling of HTTP boot, enabling out-of-bounds write through manipulated HTTP response sizes. This vulnerability opens various attack vectors, including remote, local, and network adjacent exploits, with potential methods such as man-in-the-middle (MiTM) attacks, EFI partition modifications, or PXE boot manipulations. Red Hat has patched this issue in Shim version 15.8, alongside fixes for five (5) other vulnerabilities. CTIX analysts urge all users to update Shim and apply the UEFI Secure Boot DBX update to mitigate risks of exploitation associated with CVE-2023-40547, which, despite being unlikely for mass exploitation, represents a critical threat to system security by allowing pre-OS boot code execution.
The semi-weekly Ankura Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence pertaining to current or emerging cyber events. The preceding is a collection of cyber threat intelligence leads assembled over the past few days and typically includes high-level intelligence pertaining to recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to reach out to the Flash Team (flash@ankura.com) if additional context is needed.
© Copyright 2023. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.
