Ransomware/Malware Activity
SickSync Malware Campaign Targets Ukranian Defense Forces
The Computer Emergency Response Team of Ukraine (CERT-UA) released an advisory last week about a new malware campaign targeting Ukranian defense forces. The “SickSync” campaign is named after its tactic of abusing a legitimate file-syncing software – SyncThing – to steal sensitive information from its targets. The attack begins with a phishing email with a “.rar” attachment that extracts a PDF document, an installer “sync.exe”, and BAT script. The BAT script executes the “sync.exe” installer which downloads SyncThing and SPECTR malware. SPECTR malware can grab screenshots of targeted program windows every ten (10) seconds, copy files from local directories and connected USBs, and steal authentication data from browsers and instant messaging applications. The information SPECTR steals is copied to a folder on the victim machine linked to SyncThing, which syncs the data back to the attacker’s systems. The hacking group behind this campaign is thought to be the “Vermin” group, which is tracked by CERT-UA, and attributed by CERT-UA to employees of law enforcement agencies of the occupied Luhansk region. CERT-UA includes a full listing of Indicators of Compromise in their notice. CTIX analysts will continue to report on new and emerging forms of malware and associated campaigns.
- Bleeping Computer: Ukraine Says Hackers Abuse SyncThing Tool to Steal Data
- CERT-UA: UAC-0010 (Vermin) attacks the Defense Forces of Ukraine
Threat Actor Activity
Wave of DDoS Attacks Hit Political Parties in the EU as Elections Begin
As the European Parliament elections unfold, with voting already started in the Netherlands and soon to begin in twenty-six (26) more countries across the EU, politically motivated cyberattacks have surged. Hacktivist groups have specifically targeted European political parties that oppose their interests, launching distributed denial of service (DDoS) attacks to disrupt election-related activities. Cloudflare has reported successfully mitigating at least three (3) waves of DDoS attacks in the Netherlands, highlighting two (2) major incidents on June 5th and 6th that aimed to overwhelm political sites with an unprecedented number of requests per hour. The Russian hacktivist group 'HackNeT' has taken responsibility for these attacks, targeting right-wing nationalist movements like PVV (Party for Freedom) and FvD (Forum for Democracy), who have been known for their skepticism towards the EU and NATO and sympathetic views towards Russia. These attacks raise concerns over the influence of hacktivism on the political landscape and the security of online platforms during critical election periods. Additionally, a "serious cyberattack" on Germany's CDU (Chrisitan Democratic Union) network was announced on June 1st, 2024, marking another significant political cyberattack within the EU, with the CDU's stance on Russia's invasion of Ukraine possibly being a contributing factor to the targeting. German authorities are taking steps to investigate and mitigate the attack, advising political entities to enhance their protective measures. With more elections to come this year, both in the EU and around the world, CTIX analysts will continue monitoring the trend of cyberattacks being used as a tool for political interference, as well as what organizations can do to uphold robust cybersecurity defenses.
Vulnerabilities
Critical RCE Vulnerability in PHP Affects all Versions of Windows
A new critical security flaw has been discovered in PHP installations on Windows, enabling remote code execution (RCE) through a CGI argument injection vulnerability. Discovered by Devcore researcher Orange Tsai, this flaw, tracked as CVE-2024-4577, affects all PHP versions since 5.x and stems from an oversight in character encoding conversion, specifically the “Best-Fit” feature on Windows. This allows attackers to bypass protections for an older vulnerability, tracked as CVE-2012-1823, enabling arbitrary code execution on remote PHP servers. The vulnerability particularly affects XAMPP installations on Windows using Traditional Chinese, Simplified Chinese, or Japanese locales. Although patches for PHP versions 8.3.8, 8.2.20, and 8.1.29 have been released, widespread deployment complications could leave many systems vulnerable. Users are urged to upgrade to the patched versions or apply recommended mitigations if immediate upgrades aren't feasible, with experts recommending a switch from outdated PHP CGI to more secure alternatives like Mod-PHP, FastCGI, or PHP-FPM. The Shadowserver Foundation and watchTowr Labs have already observed exploitation attempts, underscoring the urgency for users to apply the patches immediately due to the simplicity and high exploit potential of the bug. CTIX analysts recommend that administrators patch this flaw immediately to prevent exploitation.
- The Hacker News: PHP Vulnerabilities Article
- Bleeping Computer: PHP Vulnerabilities Article
- DEVCORE: CVE-2024-4577 Report
The semi-weekly Ankura Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence about current or emerging cyber events. The preceding is a collection of cyber threat intelligence leads assembled over the past few days and typically includes high-level intelligence about recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to reach out to the CTIX Team (ctix@ankura.com) if additional context is needed.
© Copyright 2024. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice
