Malware Activity
DarkGate Malware Campaign Exploits Microsoft Windows Defender SmartScreen Flaw
A DarkGate Malware campaign observed mid-January 2024 has been exploiting a Windows Defender SmartScreen flaw which is now patched in Microsoft’s February Patch Tuesday release. The flaw – CVE-2024-21412 – allows certain files to bypass the security warning that SmartScreen is designed to display when unrecognized or suspicious files are detected. The flaw is exploited through a “.url” file that points to yet another “.url” file hosted on a remote SMB share which causes the file at the final location to be executed automatically. The malware campaign begins as most do – with a phishing email. The email contains a PDF document including links that utilize redirects from Google DoubleClick Digital Marketing services to evade email security checks. The link in the PDF file directs the victim to a compromised webserver which leads to the exploitation of the SmartScreen flaw by executing a malicious MSI file. The MSI file masquerades as a legitimate software installer for NVIDIA, Apple iTunes, or Notion. The MSI installer exploits a different flaw in DLL sideloading to decrypt and execute the DarkGate malware on the system. DarkGate is an infostealer, and can fetch additional payloads, perform key logging, and provide attackers with remote access to the impacted device. This campaign serves as another reminder for organizations to patch their systems and to educate users on phishing techniques. CTIX analysts will continue to report on new strains of malware and malware campaigns.
Threat Actor Activity
LockBit Cybercriminal Sentenced to Four Years in Canada After Pleading Guilty
Mikhail Vasiliev, a 34-year-old Russian-Canadian dual national, has been sentenced to a four (4) year prison term by an Ontario court for his significant role in the LockBit ransomware operation, one of the most notorious and destructive cybercrime groups in recent history. Vasiliev's criminal activities came to light following his arrest in November 2022, and he subsequently pleaded guilty to a series of charges in February 2024, including cyber extortion, mischief related to computer data, and weapons offenses. Over the course of his involvement with LockBit, Vasiliev was implicated in orchestrating upwards of 1,000 cyberattacks, targeting businesses predominantly within Canadian states such as Saskatchewan, Montreal, and Newfoundland. These attacks occurred between 2021 and 2022, during which LockBit demanded ransom payments totaling over $100 million. As a result of his cybercrimes, Vasiliev has been ordered to pay $860,000 in restitution to the Canadian victims affected by his actions. Despite the personal consequences faced by Vasiliev, including potential extradition to the United States for further charges, the broader LockBit operation initially showed resilience. Following a significant crackdown by global law enforcement agencies, which included the seizure of infrastructure and arrests of other LockBit affiliates, the gang attempted to relaunch its operations. They updated their encryptors and ransom notes, aiming to continue their criminal enterprise. However, the illusion of LockBit's ongoing activity may not reflect the actual state of the organization. Analysis of their new data leak site revealed that most of the posted data pertains to companies attacked in previous years, suggesting that the group is striving to appear more active than it truly is in the aftermath of the law enforcement operation. In summary, the case of Mikhail Vasiliev and the takedown of the LockBit ransomware gang underscore the significant impact of international cybercrime and the ongoing efforts of law enforcement to combat it. Despite the setbacks experienced by LockBit, the group's previous success in eliciting substantial ransom payments and the complexity of its operations serve as a stark reminder of the challenges posed by such cybercriminal networks.
Vulnerabilities
RCE Flaw in Kubernetes Allows for Complete Takeover of Windows Nodes
A critical vulnerability in Kubernetes leading to remote code execution (RCE) has been recently patched. This flaw, tracked as CVE-2023-5528 (CVSS score of 7.2/10), allows attackers to execute code remotely with SYSTEM privileges across all Windows nodes in a Kubernetes cluster by deploying malicious YAML files. Affecting Kubernetes versions 1.8.0 and above, the vulnerability was fixed in updates released on November 14, 2023. The flaw leveraged insecure function calls and inadequate input sanitization related to Kubernetes volumes, specifically through the misuse of local volumes. Attackers could exploit this vulnerability by creating a persistent volume with a maliciously crafted path, leading to command injection and execution. This flaw could potentially lead to attackers taking complete control over all Windows nodes within a cluster. The patch involved replacing a command-line call with a secure GO function to prevent injection attacks, mitigating the risk of exploitation. Kubernetes has become one of the most popular open-source container systems, but for the same reason has also become a valuable target for threat actors due to its massive potential for exploitation. This security gap highlights the importance of sanitizing user inputs and the continual need for rigorous security practices within the Kubernetes environment. CTIX analysts recommend all Windows users ensure that they are staying up-to-date with their software and have applied the most recent patch to prevent exploitation.
The semi-weekly Ankura Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence pertaining to current or emerging cyber events. The preceding is a collection of cyber threat intelligence leads assembled over the past few days and typically includes high-level intelligence pertaining to recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to reach out to the CTIX Team (ctix@ankura.com) if additional context is needed.
© Copyright 2023. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.