Ransomware/Malware Activity
New ShrinkLocker Ransomware uses BitLocker for Encryption
Researchers at Kaspersky Labs have discovered a new ransomware strain dubbed “ShrinkLocker” which uses Windows BitLocker to encrypt victim machines. The ransomware achieves this by creating a new boot partition through shrinking available non-boot partitions. ShrinkLocker is written in VBScript and runs a series of checks against the victim machine that it must pass before the ransomware continues with the attack. ShrinkLocker has targeted government entities and companies in the vaccine and manufacturing sectors. Unlike traditional ransomware, ShrinkLocker maximizes damage by detecting specific Windows versions and parameters before proceeding with encryption. It modifies registry entries to disable remote desktop connections and enables BitLocker on systems without a Trusted Platform Module (TPM). The malware uses the diskpart utility to shrink partitions, creates new primary volumes, and reinstalls boot files on these partitions, effectively locking users out. ShrinkLocker doesn't leave a ransom note but provides a contact email as the label of the new boot partitions, making it easy to miss. After encryption, it deletes BitLocker protectors, leaving no recovery options. The ransomware operation appears to be more destructive than financially motivated, with multiple variants detected targeting entities in Mexico, Indonesia, and Jordan. Kaspersky recommends companies secure recovery keys, maintain offline backups, and use Endpoint Detection and Response (EDR) platforms to detect and prevent such attacks. CTIX analysts will continue to report on novel and interesting new malware threats.
Threat Actor Activity
Moroccan-based Storm-0539 Aggressively Profiting off Gift Card Fraud Campaign
A new report sheds light on Atlas Lion, also known as Storm-0539, a Morocco-based cybercriminal operation that has developed a niche in infiltrating large retailers' systems to fraudulently issue gift card codes for themselves, utilizing advanced phishing techniques. This method allows them to "print their own money" by remaining in the compromised systems for repeated thefts, diverging from the more common direct scams or phishing attacks for gift card-based payments. The appeal of gift cards to cybercriminals lies in their anonymity and the reduced likelihood of scrutiny, with such scams typically spiking during holiday seasons. Microsoft noted a significant uptick in Storm-0539's activity in the run-up to the Memorial Day holiday, indicating a strategic timing for their operations. Over the years, Storm-0539 has shifted its focus from malware attacks on point-of-sale devices to exploiting cloud services and card systems, targeting prominent retailers and well-known brands. Their tactics include conducting thorough reconnaissance, using phishing and smishing to compromise accounts, and adopting legitimate organization guises to access resources from cloud providers. Their sophisticated approach includes creating misleading websites and obtaining legitimate nonprofit documentation to exploit cloud service discounts. Once inside a network, they bypass multi-factor authentication, create new gift cards, and monetize them through various illicit means, with daily thefts reaching up to $100,000 in some instances. Organizations issuing gift cards are advised to treat their card issuing portals as high-value targets that require robust security measures. It’s also suggested that multi-factor authentication be complemented with additional access policy conditions that also authenticate requests based on IP address geo-location and device status.
Vulnerabilities
TP-Link Patches Critical Vulnerability in Popular Gaming Router
The TP-Link Archer C5400X gaming router contains a critical security vulnerability that allows unauthenticated, remote attackers to execute commands on the device, leading to potential hijacking, data interception, and internal network breaches. This flaw, tracked as CVE-2024-5035, with a CVSS score of 10/10, affects all firmware versions up to and including 1_1.1.6. The flaw was identified by researchers from OneKey through binary static analysis of the “rftest” binary, which exposes a network service on TCP ports 8888, 8889, and 8890. Exploiting this flaw with shell metacharacters can achieve arbitrary command execution with elevated privileges. TP-Link released a patch on May 24, 2024, in firmware version 1_1.1.7, which filters out commands containing these special characters. CTIX analysts strongly advise users to update their firmware to secure their routers from future exploitation.
The semi-weekly Ankura Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence about current or emerging cyber events. The preceding is a collection of cyber threat intelligence leads assembled over the past few days and typically includes high-level intelligence about recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to reach out to the CTIX Team (ctix@ankura.com) if additional context is needed.
© Copyright 2024. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice
