Ransomware/Malware Activity
New Golang Malware Targets Hadoop, Docker, Confluence, and Redis
Security researchers have recently discovered several new Golang payloads developed to identify and exploit hosts running Hadoop YARN, Docker, Confluence, and/or Redis. To kick-off the malware campaign, hackers use Golang tools to scan the victim network for open ports associated with the targeted services (ports 2375, 8088, 8090, 6379). Each Golang binary contains code to exploit the identified service – for instance, the Confluence-targeting binary is built to grab an exploit for a known Atlassian vulnerability (CVE-2022-26134). Once the service is exploited, attackers install a cryptocurrency miner and establish a reverse shell to maintain persistence. The researchers point out that the new binaries were not sanitized by the threat actors, making them very easy to reverse engineer. Other payloads analyzed in this campaign attempt to delete initial access artifacts such as removing Docker images from Ubuntu or Alpine repositories. One such script “ar.sh” also includes code to add an SSH key and fetch the Golang reverse shell session manager “Platypus”. These findings demonstrate the widening popularity of scripting malware in the “Go” programming language among threat actors. This is yet another example of threat actors exploiting services on Linux hosts for cryptomining activities. CTIX analysts recommend that organizations running these services threat hunt and block the IOCs related to this campaign. CTIX analysts will continue to report on novel malware strains and threat actor trends.
- Bleeping Computer: Hackers Target Docker, Hadoop, Redis, Confluence
- Cado Security: A New Linux Malware Campaign
Threat Actor Activity
US Agencies Warn of Phobos RaaS Targeting Critical Infrastructure
U.S. cybersecurity and intelligence agencies, including CISA, the FBI, and MS-ISAC, have issued warnings about Phobos ransomware attacks aimed at government and critical infrastructure. Phobos operates under a ransomware-as-a-service (RaaS) model and has targeted various sectors, including municipal and county governments, emergency services, education, public healthcare, and critical infrastructure, leading to several million dollars in ransoms. Phobos has been active since May 2019, with variants like Eking, Eight, Elbie, Devos, Faust, and Backmydata. It is believed to be managed by a central authority with control over the ransomware’s private decryption key. Associated attacks have typically used phishing to drop pay loads like SmokeLoader or brute-force attacks on exposed RDP services for initial access. Once inside, attackers use additional tools and techniques to maintain persistence, steal credentials, and escalate privileges. The threat actors utilize tools like Bloodhound and Sharphound for enumeration of the active directory and WinSCP and Mega.io for data exfiltration, often followed by the deletion of volume shadow copies which makes recovery more difficult. Process injection techniques are often used to further execute code and evade detection, while modifications to the Windows Registry have been used for persistence. Additionally, Phobos actors’ use built-in Windows APIs to steal tokens, bypass access controls, and escalate privileges via the SeDebugPrivilege process. CTIX analysts will keep an eye on activity related to Phobos ransomware actors and ransomware attacks.
Vulnerabilities
TeamCity Servers Under Active Exploitation
Threat actors are actively exploiting a critical vulnerability in TeamCity on-premises servers. TeamCity is a continuous integration and continuous delivery (CI/CD) server by JetBrains designed to automate building, testing, and deploying software. The flaw, tracked as CVE-2024-27198, is a critical authentication bypass vulnerability with a CVSS score of 9.8/10, affecting all TeamCity versions up to 2023.11.4. If successfully exploited, the vulnerability allows remote attackers to gain administrative control over vulnerable servers. The potential for supply-chain attacks is also high, as compromised servers could give attackers access to sensitive information and control over software builds and deployments. This widespread exploitation has led to the creation of hundreds of unauthorized users on unpatched TeamCity instances visible online. LeakIX has identified over 1,700 unpatched TeamCity servers, primarily located in Germany, the United States, and Russia, with over 1,440 instances already compromised. Exploitation patterns show the creation of users with 8-character alphanumeric usernames. GreyNoise observed a significant increase in exploitation attempts, particularly from the United States on DigitalOcean's hosting infrastructure. JetBrains has released a patch in TeamCity 2023.11.4 and CTIX analysts urge administrators to update their installations immediately to mitigate the risk of exploitation.
The semi-weekly Ankura Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence pertaining to current or emerging cyber events. The preceding is a collection of cyber threat intelligence leads assembled over the past few days and typically includes high-level intelligence pertaining to recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to reach out to the Flash Team (flash@ankura.com) if additional context is needed.
© Copyright 2023. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.
