Ransomware/Malware Activity
GitHub and GitLab CDN Flaw Abused to Push Malware via Legitimate Repo URLs
A flaw in GitHub’s CDN (Content Delivery Network) enables attackers to upload malware into comments on GitHub repositories. The flaw was discovered after researchers noted that a new LUA malware loader was being distributed through URLs to Microsoft’s GitHub repository for vcpkg and the STL library. However, references to the malware were not actually found on Microsoft’s live repository, leading Bleeping Computer to discover that the GitHub URL hosting the malware must have been generated by exploiting a flaw in GitHub’s CDN design. The flaw in the design is that GitHub automatically generates a download link after a file is added to a comment on a repository, which is then available via Github’s CDN. Even when the comment is not posted, or deleted after posting, the files are not deleted from the CDN and the download URLs continue to be accessible. This flaw is an effective vehicle for attackers looking to spread malware through seemingly legitimate links. Researchers have seen this being abused on Microsoft’s repository as well as a known aimbot game cheat software repository. While the LUA malware loader has been observed to be distributed through this flaw, ostensibly any malware or unwanted content can be associated with legitimate repositories by uploading files to unsaved comments. To mitigate this abuse, it is possible for developers to temporarily disable comments for maximum of six months at a time, however this is often not a viable route for development projects. At time of this writing, Bleeping Computer has not received a response from GitHub after disclosing the finding to the company on Thursday, March 18th. CTIX analysts will continue to report on novel and evolving malware campaigns.
- Bleeping Computer: GitHub CDN Flaw Article 1
- Bleeping Computer: GitHub CDN Flaw Article 2
- GitHub: OALabs Research
Threat Actor Activity
North Korean-Linked Threat Actors Adjusting Tactics and Leveraging AI
It was recently uncovered that North Korea-affiliated threat actors, particularly Emerald Sleet, are leveraging artificial intelligence (AI) and large language models (LLMs) to assist their cyber operations in a fashion that makes them more efficient and effective. This includes AI-assisted spear-phishing campaigns aimed at specialists on the Korean Peninsula and conducting vulnerability research and reconnaissance on relevant organizations. The use of AI extends to troubleshooting, scripting, and creating content for spear-phishing campaigns. Emerald Sleet's engagements begin with seemingly benign conversations with targets in an effort to create relationships that will foster long-term information exchanges to gather strategic information important to North Korea's interests. By adopting credible personas, often imitating think tanks or non-governmental organizations, along with the recent exploitation of weak email authentication policies, the group has increased its operational success rate and demonstrated agility in adjusting its tactics, including the use of web beacons for initial reconnaissance and target profiling. Moreover, North Korean hacking activities extend beyond Emerald Sleet, with groups like Jade Sleet (overlaps with UNC4899 or TradeTraitor) and Diamond Sleet (aka Lazarus Group) engaging in cryptocurrency thefts and sophisticated supply chain attacks. These operations have produced millions in stolen assets and showcased advanced methods of circumventing security measures, underscoring the persistent and evolving threat posed by these state-sponsored actors. The landscape of cyber threats from North Korean actors is increasingly sophisticated, leveraging both novel AI applications and advanced techniques to undermine security protections and facilitate malicious objectives, often positioned towards revenue generation for the country’s weapons program and intelligence collection on countries like the United States, South Korea, and Japan.
Vulnerabilities
CrushFTP Patches Actively Exploited Critical Zero-Day Vulnerability
CrushFTP has alerted users to a critical zero-day vulnerability impacting versions 9, 10, and 11 of their file transfer server software, which has been actively exploited in the wild. This security flaw enables unauthenticated attackers to escape the virtual file system (VFS) and download sensitive system files, which could lead to further exploitation. The vulnerability was discovered by Simon Garrelou of Airbus CERT and has been patched in the newly released versions 10.7.1 and 11.1.0. Customers using a DMZ (demilitarized zone) to filter protocols and connections are reported to be protected against these specific attacks. However, CrushFTP emphasizes the importance of all users, particularly those with exposed web interfaces, updating their systems immediately. Cybersecurity researchers have observed the exploit being used in targeted attacks, mainly against U.S. entities, suggesting that the attacks may be politically motivated or aimed at intelligence gathering. The urgency of the situation is underscored by CrushFTP's rapid response to patch the vulnerability and their active engagement with customers to ensure updates are applied swiftly to prevent any further security breaches. CTIX analysts urge all administrators to ensure that they are running a secure version of CrushFTP and recommend that administrators consider putting a DMZ in-between their networks and the public internet to add defense-in-depth in the case of other zero-days.
- Bleeping computer: CrushFTP Vulnerability Article
- The Hacker News: CrushFTP Vulnerability Article
- Security Week: CrushFTP Vulnerability Article
- CrushFTP: Advisory
The semi-weekly Ankura Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence pertaining to current or emerging cyber events. The preceding is a collection of cyber threat intelligence leads assembled over the past few days and typically includes high-level intelligence pertaining to recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to reach out to the CTIX Team (ctix@ankura.com) if additional context is needed.
© Copyright 2023. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.
