Ransomware/Malware Activity
“AcidPour” Data-Wiping Malware Developed to Target Linux x86 Devices
Cybersecurity researchers at SentinelLabs have analyzed a novel data-wiping malware uploaded to the internet from a location in the Ukraine. Dubbed “AcidPour”, the malware shares similarities with “AcidRain”, the data-wiping malware used in 2022 to target satellite broadband services in Ukraine. Both AcidPour and AcidRain use the same IOCTL (input/output control) wiping mechanism, the same logic for recursive directory wiping, and the same reboot mechanism. However, “AcidPour” appears to be designed to target Linux x86 systems specifically as opposed to devices compiled for a MIPS architecture. The AcidPour code references device paths “/dev/ubiXX” and “/dev/dm-XX”. The “/dev/ubiXX” path is common in embedded systems dependent on flash memory such as IoT (Internet-of-Things), networking, and ICS (Industrial Control System) devices. The “/dev/dm-XX” path is associated with mapped devices under Logical Volume Management (LVM), putting devices like Storage Area Network (SAN) and Network Attached Storage (NAS) systems within AcidPour’s target scope. These incorporations to the malware suggest that AcidPour targets a broader range of systems than its AcidRain predecessor. A sample of the AcidPour binary analyzed by researchers has been made available on VirusTotal. As of the time of this writing, it is unclear whether AcidPour has been deployed against any known victims. CTIX analysts will continue to report on novel strains of malware and associated campaigns.
Threat Actor Activity
Iranian-Linked Hackers Compromise Israeli Nuclear Facility
A hacking group with ties to Iran, who goes by Anonymous, has claimed responsibility for infiltrating the computer network of the Shimon Peres Negev Nuclear Research Center, a key Israeli nuclear facility that houses a nuclear reactor. Amidst their protest against the war in Gaza, the hackers claimed to have stolen and released thousands of documents online, including PDFs, emails, and PowerPoint slides from the nuclear research center. The group posted on social media claiming that they "carried out the operation in such a way that no civilians were harmed" but also that the operation was very dangerous, and while they didn't intend to set off a nuclear explosion, they encouraged that the nearby city of Dimona and the town of Yeruham should consider evacuating. The latter message was likely a scare-tactic, and while they were able to compromise the IT network, there has been no evidence to suggest the hackers have managed to compromise the facility's more secure operational technology (OT) networks. The incident has not yet elicited a public response from the Israeli embassy in London. Researchers have identified similarities between the attacks carried out by this Anonymous group and those associated with Iranian cyber groups, suggesting a possible connection or even shared identity among these threat actors. The cybersecurity landscape in Israel has been under strain since the outbreak of the war in Gaza, with a surge in cyberattacks from various threat actors. These attacks have included data breaches, system intrusions, disinformation campaigns, and targeting of industrial control systems, reflecting cybersecurity threats as an active and likely future component to modern warfare. Analysis of the recently disclosed documents indicates that while they are not highly sensitive, they could potentially facilitate future cyber threats like phishing. The company emphasizes that the release of these documents should not be seen as an indication of the hackers' ability to control the nuclear facility's critical operational systems.
Vulnerabilities
Ivanti Patches Vulnerabilities Leading to RCE
Ivanti has issued urgent patches for two (2) critical vulnerabilities in its Standalone Sentry and Neurons for IT Service Management (ITSM) solution. The Standalone Sentry vulnerability, tracked as CVE-2023-41724, allows unauthenticated attackers to conduct remote code execution (RCE) on the appliance's operating system from within the same network, affecting all supported versions. This flaw, reported by NATO Cyber Security Centre researchers, is significant due to Standalone Sentry's role as a Kerberos Key Distribution Center Proxy (KKDCP) or a gatekeeper for ActiveSync-enabled servers. The second vulnerability, tracked as CVE-2023-46808, impacts Neurons for ITSM, enabling attackers with low-level access to execute commands in the context of the web application's user, with cloud landscapes already secured but leaving on-premises deployments exposed. Ivanti has not found evidence indicating that these vulnerabilities are being actively exploited in the wild but urges immediate action to prevent potential exploitation. The advisories are set against a number of Ivanti vulnerabilities that have been previously exploited by nation-state actors and threat groups, leading to widespread attacks and emergency directives from cybersecurity agencies to secure Ivanti Connect Secure and Policy Secure systems against zero-day flaws. These incidents highlight the critical importance of maintaining security hygiene and the potential consequences of unaddressed vulnerabilities in widely used enterprise software. CTIX analysts recommend that all administrators utilizing the affected Ivanti solutions patch their software as soon as possible to prevent potential exploitation.
The semi-weekly Ankura Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence pertaining to current or emerging cyber events. The preceding is a collection of cyber threat intelligence leads assembled over the past few days and typically includes high-level intelligence pertaining to recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to reach out to the CTIX Team (ctix@ankura.com) if additional context is needed.
© Copyright 2023. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.
