This browser is not actively supported anymore. For the best passle experience, we strongly recommend you upgrade your browser.
Subscribe

Social Media Links

| 4 minutes read

Ankura CTIX FLASH Update - June 18, 2024

Ransomware/Malware Activity

 

DISGOMOJI Linux Malware Commanded by Emojis

Researchers at Volexity have recently reported on a Linux malware strain named “DISGOMOJI” which has been observed targeting government agencies in India. The threat actor behind the campaign is believed to be a Pakistan-based threat actor dubbed “UTA0137”. UTA0137 leverages an open-source command-and-control (C2) project “discord-c2”, which uses Discord as the C2 server. The attackers communicate with DISGOMOJI malware via emojis, coding each emoji to represent a command. Examples include an emoji of a man running which executes a command on the victim’s device, an emoji of a camera which takes a screenshot of the victim’s screen, and a fire emoji which finds and sends all files matching an extension list to the attacker. Other capabilities of the DISGOMOJI malware includes zipping Firefox profiles on the victim’s device and downloading/uploading additional files. The malware has been observed as part of a phishing campaign targeting government agencies in India. Volexity believes that the malware was built to target a custom Linux distribution named BOSS which Indian government agencies use for their desktop. The campaign begins with a spear-phishing email that contains a ZIP archive. When unzipped, a Golang ELF binary downloads the DISGOMOJI malware from a remote server while displaying a benign PDF document consistent with the attacker’s pretext. Volexity notes that UTA0137 has been improving the DISGOMOJI over time, and that the malware has been successfully deployed in several attacks. CTIX analysts will continue to report on new and emerging forms of malware and associated campaigns. 

 

 

Threat Actor Activity

 

Hacker from Scattered Spider Arrested

Spanish authorities, in collaboration with the FBI, detained a 22-year-old British man at Palma Airport who is suspected of being the ringleader of the notorious Scattered Spider hacking group. This group has been implicated in high-profile cyber incidents, including a devastating attack on MGM Resorts in 2023 that resulted in a $100 million loss. Unlike traditional cybercrime organizations, Scattered Spider operates more as a collective, employing social engineering tactics like SIM swapping and phishing to infiltrate networks of major companies such as Coinbase and LastPass. The arrest underscores the increasing effectiveness of international law enforcement efforts against cybercriminals who, until recently, have operated with a sense of impunity, hiding behind the anonymity of the internet. This development follows the earlier apprehension of another group affiliate, Noah Urban, in Florida, highlighting a broader crackdown on members of Scattered Spider and associated entities. Further investigation revealed that the apprehended individual in Spain, known under the alias "Tyler," played a significant role in the group's operations, specializing in SIM swapping—a technique used to hijack victims' phone numbers and intercept secure messages. Tyler, identified as Tyler Buchanan from Scotland, is the second member of Scattered Spider to face arrest after Urban. These arrests are part of ongoing efforts to dismantle the group, which has evolved from credential harvesting and SIM swapping to ransomware and data theft extortion schemes. Scattered Spider, also linked to other monikers like 0ktapus and UNC3944, has shifted focus towards encryption-less extortion attacks, targeting software-as-a-service (SaaS) applications to exfiltrate sensitive data. Their sophisticated tactics include leveraging legitimate cloud synchronization utilities and abusing Okta permissions to conduct internal reconnaissance and expand their scope of intrusion. The group's targeting of CyberArk's Privileged Access Security solution highlights their methodical approach to compromising corporate networks. CTIX analysts recommend heightened monitoring of SaaS applications, centralizing logs from important services, increasing multi-factor authentication (MFA) re-registrations, and implementing more stringent access policies within cloud tenants.

 

Vulnerabilities

 

ASUS Patches Critical Vulnerabilities in Multiple Routers

ASUS has released firmware updates to address critical vulnerabilities in several popular router models. One major flaw, tracked as CVE-2024-3080 (CVSS 9.8/10), is an authentication bypass vulnerability allowing remote attackers to log into devices without authentication. Affected models include ZenWiFi XT8, RT-AX57, RT-AC86U, and RT-AC68U, with specific firmware updates provided to mitigate the issue. Another critical vulnerability, tracked as CVE-2024-3912 (CVSS 9.8/10), allows remote attackers to execute system commands via arbitrary firmware upload. Impacted models include DSL-N17U, DSL-N55U, and DSL-AC56U. Some older models will not receive updates due to end-of-life status, and users are advised to disable remote access features if they cannot immediately replace these devices. Additionally, ASUS updated Download Master to version 3.1.0.114 to fix several medium to high-severity issues, enhancing overall security. CTIX analysts urge users to update their firmware and follow recommended security practices, such as using strong passwords and disabling remote access features.

 

The semi-weekly Ankura Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence about current or emerging cyber events. The preceding is a collection of cyber threat intelligence leads assembled over the past few days and typically includes high-level intelligence about recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to reach out to the CTIX Team (ctix@ankura.com) if additional context is needed.

© Copyright 2024. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice

Tags

report, data & technology, cybersecurity & data privacy, cyber response, data privacy & cyber risk

Let’s Connect

We solve problems by operating as one firm to deliver for our clients. Where others advise, we solve. Where others consult, we partner.

I’m interested in

I need help with