Ransomware/Malware Activity
Vultur Android Banking Trojan Advances Capabilities and Updates Techniques
Vultur is a banking trojan designed to infect Android phones to steal financial information and credentials from victims. First seen in 2021, the malware has used dropper applications masquerading as legitimate applications on the Google Play store to trick victims into installing the malware. Recently, threat actors have updated their initial attack vector to proactively source victims through SMS messages. Attackers will send targets a malicious SMS message that proports to be from a financial institution and alerts the victim to an unauthorized transaction on their account. The message instructs the victim to call a phone number which is answered by the attacker who instructs the victim to open a link arriving in another SMS message. This malicious link directs the victim to a site to download a trojanized version of the McAfee Security application. Once installed, the application decrypts and executes three (3) Vultur payloads. Two (2) payloads are APK files and are designed to obtain Accessibility Services privileges and set up remote access tools such as AlphaVNC/ngrok. The final DEX payload establishes a connection with the attacker’s command-and-control (C2) server. This new version of Vultur has expanded capabilities, allowing not just for the extraction of credentials and sensitive information, but also remote control of the infected device. New features include the use of Accessibility Services to perform clicks/scrolling, the disabling of Keyguard to bypass lock screen security, the ability to manage device files, and the ability to block applications from executing on the device. In addition, the new version of Vultur evades detection by encrypting C2 communications using multiple encrypted payloads and masquerading its activities to appear as legitimate application processes. The enhanced capabilities of Vultur potentially expand its use case beyond just a banking trojan. Users must remain vigilant on vetting sources prior to downloading applications. In addition, individuals should always call the known phone number of their financial institution directly and never click on links sent from unknown senders. CTIX analysts will continue to report on new and evolving forms of malware.
Threat Actor Activity
AT&T Confirms Data Leak Affecting 73 Million Customers
After data surfaced on the dark web nearly two (2) weeks ago, AT&T came out over the weekend confirming the legitimacy that the leaked data traced back to them. The data was listed on a dark web criminal marketplace containing information of roughly 7.6 million current AT&T customers and 65.4 million former customers, affecting a total of approximately 73 million individuals. AT&T said they are currently unaware of evidence suggesting that there was unauthorized access to their systems that would've resulted in the exfiltration of the data set, which includes past and current customers' Social Security numbers, names, email addresses, mailing addresses, phone numbers, dates of birth, AT&T account numbers and passcodes. The current dataset appears to be similar and potentially identical to a dataset the hacker group ShinyHunters offered for sale back in 2021, which the company had previously identified and reported as not originating from their servers, suggesting that this dataset might have originated from a vendor. While the dataset from 2021 had a listed price of $1 million, the recent posting by a hacker who goes by "MajorNelson" offered the dataset completely for free. AT&T, the largest wireless provider based on subscriber figures in the US, acknowledged that the incident has had no material impact on the company's operations. Furthermore, the company reset the passcodes of the 7.6 million current account holders who were a part of the database and will be directly contacting individuals who had their sensitive personal information compromised, offering them identity theft and credit monitoring services. AT&T suffered another recent incident just a year ago where a breach exposed the sensitive information of around 9 million customers.
Vulnerabilities
Popular Linux Distros Vulnerable to Backdoor in XZ Utils Library
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and Red Hat have issued warnings about a critical vulnerability in the XZ Utils data compression library. The flaw, tracked as CVE-2024-3094 (CVSS score of 10/10), is due to malicious code in versions 5.6.0 and 5.6.1, aimed at enabling unauthorized remote access by interfering with SSH daemon authentication via systemd. The vulnerability, discovered by Microsoft engineer Andres Freund, affects Fedora 41 and Fedora Rawhide, but not Red Hat Enterprise Linux (RHEL) or stable Debian versions. Users are urged to revert to XZ Utils version 5.4.6 Stable or earlier safe versions to mitigate risk. The malicious code, designed for obfuscation, was found in the liblzma build process and is capable of modifying the liblzma library to intercept and alter data interactions, potentially allowing attackers to execute arbitrary code through SSH before authentication. GitHub has disabled the affected repository for violating terms of service, and while no active exploitations have been reported, the incident raises significant concerns about the security of open-source supply chains. CTIX analysts urge Linux administrators and users to check their XZ version and downgrade to a safe version, if necessary, to avoid unauthorized system access and defend against this sophisticated supply chain attack.
- Bleeping Computer: CVE-2024-3094 Article
- The Record: CVE-2024-3094 Article
- The Hacker News: CVE-2024-3094 Article
The semi-weekly Ankura Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence pertaining to current or emerging cyber events. The preceding is a collection of cyber threat intelligence leads assembled over the past few days and typically includes high-level intelligence pertaining to recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to reach out to the CTIX Team (ctix@ankura.com) if additional context is needed.
© Copyright 2023. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.
