Ransomware/Malware Activity
GhostEngine Crypto Mining Malware Kills EDR Processes
Security researchers at Elastic Security Labs and Antiy have discovered and detailed a new crypto mining malware campaign named “REF4578” which uses vulnerable drivers to disable common Endpoint Detection and Response (EDR) software. The main malware deployed in the attack is named GhostEngine, which is initially staged by an executable named “Tiworker.exe”. “Tiworker.exe” downloads GhostEngine’s primary loader named “get.png” which downloads additional modules, disables Windows Defender, clears Windows event logs, and creates scheduled tasks for persistence. The “get.png” loader also launches GhostEngine’s primary payload called “smartsscreen.exe” which terminates and deletes EDR software prior to launching the main crypto miner executable. GhostEngine terminates the EDR software running on the victim machine by leveraging two (2) vulnerable drivers: “aswArPots.sys” (an Avast Anti-Rootkit Driver that terminates the EDR process) and “IObitUnlockers.sys” (which deletes the EDR executable). In addition, Ghost engine deploys “kill.png” as a redundant script that continuously scans for any new EDR processes to terminate and delete. Once the EDR solution is terminated and deleted, it can be difficult for defenders to prevent and detect the crypto mining malware. Researchers at Elastic recommend that organizations prioritize the detection of suspicious PowerShell execution from unusual directories, elevation of privileges, and the deployment of vulnerable drivers. CTIX analysts recommend that organizations review the indicators of compromise associated with this campaign to inform threat hunting and to regularly perform security feed health checks. CTIX analysts will continue to report on new and emerging forms of malware and associated campaigns.
Threat Actor Activity
Newly Discovered Chinese Hackers Conducting Espionage in South China Sea Region
A previously unknown threat actor called Unfading Sea Haze has been linked to the targeting of at least eight (8) unidentified government and military entities belonging to South China Sea countries. The threat group has been active since at least 2018 and has gone undetected until now. Researchers believe Unfading Sea Haze is aligned with Chinese interests based on their choice of targets who have overlapping geo-political interests in the South Pacific, with the primary goal of the attacks appearing to be espionage. Despite no overlap in the threat actor's attack signatures with other known hacking groups, additional elements indicate a connection to China such as the use of various Gh0st RAT variants, a commodity trojan heavily used by Chinese-speaking threat actors and in espionage campaigns by Beijing-backed government hackers. The attackers have been observed regaining repeated access to compromised systems along with conducting data exfiltration activities. Initial access has been less clear, but one known vector has been spear-phishing emails, observed as recently as May 2023, containing malicious LNK files that install a backdoor onto the victim system. Additional malware payloads and tools are used once inside the system to conduct secondary activities like expanding access, taking over administrator accounts, evading detection, and collecting browser data. Data exfiltration looks to be performed manually to capture specific information of interest, including data from messaging applications, for targeted espionage focused on sensitive information. The arsenal used by Unfading Sea Haze, as mix of custom and off-the-shelf tools, highlights the group's flexibility and evasion techniques with a focus on bypassing traditional security measures to successfully conduct espionage missions. CTIX will continue to report on new and emerging threat groups.
- The Record: Unfading Sea Haze Article
- The Hacker News: Unfading Sea Haze Article
- Bleeping Computer: Unfading Sea Haze Article
Vulnerabilities
Ivanti Patches Multiple Critical Vulnerabilities
Ivanti has patched multiple critical vulnerabilities in its Endpoint Manager (EPM), including six (6) SQL injection flaws (CVE-2024-29822 to CVE-2024-29827) that allow unauthenticated remote code execution and four (4) similar flaws (CVE-2024-29828 to CVE-2024-29846) requiring authentication, affecting versions 2022 SU5 and earlier. A high-severity flaw, tracked as CVE-2024-29848, in Avalanche also permits remote code execution via a maliciously crafted file. Additionally, vulnerabilities in Neurons for ITSM, Connect Secure, and Secure Access clients were fixed. Netflix's Genie engine has a critical path traversal flaw (CVE-2024-4701) that can lead to remote code execution by exploiting its REST API to write arbitrary files. These disclosures, emphasizing secure design practices, coincide with warnings about other critical vulnerabilities like those in Honeywell's Control Edge UOC, which can lead to full control of the controller via unauthenticated remote code execution. CTIX analysts recommend that all administrators responsible for the affected products ensure that their software is up-to-date with the latest patches to prevent future exploitation.
The semi-weekly Ankura Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence about current or emerging cyber events. The preceding is a collection of cyber threat intelligence leads assembled over the past few days and typically includes high-level intelligence about recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to reach out to the CTIX Team (ctix@ankura.com) if additional context is needed.
© Copyright 2024. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice
