Ransomware/Malware Activity
Malware backdoor for macOS Spread via Fake Visual Studio Update
A piece of macOS malware masquerading as a Visual Studio update has been giving back door access to infected systems. Beginning in November 2023, the campaign uses a rust-based malware which Bitdefender has named “RustDoor” and is capable of running on both Intel-based and Apple ARM CPU architectures. Once the back doors are created, the infected systems have been seen connecting to command-and-control (C2) infrastructure associated with the ALPHV/BlackCat threat actor group. There are four (4) known C2 servers, three (3) of which have previous connections to ALPHV ransomware operators. RustDoor is distributed to systems disguised as a Visual Studio updater for macOS which is delivered in binaries that includes the malware for both the x86-64 and ARM architectures. RustDoor contains a multitude of commands that can be used to instigate additional processes and the infiltration/exfiltration of data. Other capabilities include the ability to alter the file structure of an infected system, display phishing messages to users, and bring in more malware payloads. Additionally, RustDoor edits the “~/.zshrc” file which is used to execute RustDoor in a new terminal to help prevent detection by typical antivirus tools. CTIX analysts will continue to monitor the situation of macOS based malware and its impact on the macOS ecosystem.
Threat Actor Activity
US State Department's $10 Million Bounty on Information Relating to Hive Ransomware Members
The US State Department announced a $10 million reward for information that could help identify or locate key members of the Hive ransomware gang. An additional $5 million reward is being offered for information leading to the arrest/conviction of individuals who were active members of the gang or attempted to participate in the ransomware gang's activities. The Hive ransomware gang is a transnational organized crime group that has been credited for extorting up to $100 million across roughly 1,300 companies from around eighty (80) countries between June 2021 and November 2022. They acted as a ransomware-as-a-service (RaaS) operator, first surfacing in June 2021, and were known for breaching organizations by means of phishing campaigns, exploiting vulnerabilities in internet-exposed devices and using purchased credentials. These reward announcements come a year after an international law enforcement operation seized control of Hive's servers and Tor websites in January 2023. That operation led to the capturing of Hive's decryption key, helping prevent victims from paying $130 million in active ransom demands. The infiltration of the Hive ransomware operation was especially impressionable because, unlike other ransomware groups, Hive wasn't known to discriminate against targets and weren't afraid to breach and encrypt anyone, including emergency services and healthcare entities. The rewards, which are offered through the Transitional Organized Crime Rewards Program (TOCRP), have previously been used to announce bounties relating to members of the Clop, Conti, REvil, and Darkside ransomware operations in the past. This current announcement from the State Department, along with past ones, signals the continued commitment by law enforcement to lay down the hammer on transnational cybercrime.
Vulnerabilities
FortiOS Vulnerability Under Active Exploitation
The U.S. Cybersecurity and Infrastructure Agency (CISA) has confirmed that a critical remote code execution (RCE) vulnerability is under active exploitation by attackers. The flaw, tracked as CVE-2024-21762, exists in the FortiOS operating system, and was patched by Fortinet in the first week of February 2024. This flaw, resulting from an out-of-bounds write weakness, allows unauthenticated attackers to execute arbitrary code remotely via maliciously crafted HTTP requests. Fortinet recommends disabling SSL VPN on devices as a temporary measure for admins unable to immediately apply security updates. This advisory follows Fortinet's own notification of potential in-the-wild exploitation. CISA has added the flaw to their Known Exploited Vulnerabilities (KEV) catalog, mandating that all Federal Civilian Executive Branch (FCEB) agencies secure their FortiOS devices against this vulnerability by no later than February 16, 2024. Additionally, Fortinet addressed confusion around the disclosure of two (2) other critical RCE vulnerabilities (CVE-2024-23108 and CVE-2024-23109) in its FortiSIEM solution, initially denying their validity before acknowledging them as variants of a previously fixed flaw (CVE-2023-34992), emphasizing the importance of promptly securing all Fortinet devices. CTIX analysts recommend that all administrators ensure their FortiOS instances are patched, and if the patching cannot be immediately executed due to the negative impact on critical processes, the mitigation measures in the Fortinet advisory should be followed.
- Bleeping Computer: CVE-2024-21762 Article
- Fortinet: CVE-2024-21762 Advisory
- CISA: CVE-2024-21762 Advisory
The semi-weekly Ankura Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence pertaining to current or emerging cyber events. The preceding is a collection of cyber threat intelligence leads assembled over the past few days and typically includes high-level intelligence pertaining to recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to reach out to the Flash Team (flash@ankura.com) if additional context is needed.
© Copyright 2023. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.
