Ransomware/Malware Activity
Rafel RAT Android Malware Deployed for Espionage and Ransomware
Researchers at Check Point have recently released an analysis of “Rafel RAT” malware that has been observed targeting mobile devices running older versions of Android OS. Check Point observed approximately 120 Rafel Rat campaigns, some of which targeted high-profile organizations and the military, and most of which targeted victims in the United States, China, and Indonesia. Rafel RAT is capable of both stealing and encrypting data on the victim device. Its core commands for information stealing include sending the victim’s phonebook, SMS messages, device information, location, and file path information to the attacker’s command-and-control (C2) platform. Beyond stealing data, a variant of Rafel Rat has the capability to delete or encrypt files and lock the device screen. In these ransomware cases, the attacker will send the victim an SMS with the ransom note, instructing them to message the attacker on Telegram for negotiations. Rafel RAT could be spread via phishing, and researchers have seen the malware masquerading as known applications such as Instagram, WhatsApp, and antivirus applications to trick users into downloading the malware. It is believed that various threat actors are behind these recent campaigns. CTIX analysts recommend individuals keep operating systems up to date, never download applications from unknown sources, and to be cautious about what permissions are being granted to applications. CTIX analysts will continue to report on new and emerging forms of malware and associated campaigns.
- Bleeping Computer: Rafel RAT targets outdated Android phones
- Check Point: Rafel RAT, Android Malware From Espionage to Ransomware Operations
Threat Actor Activity
US Bans Kaspersky Antivirus Software and Sanctions a Dozen Executives
The Biden administration has announced a comprehensive ban on Kaspersky Lab's antivirus software and related cybersecurity products within the United States, marking a significant policy move intended to safeguard national security, “out-innovate” adversaries, and protect critical infrastructure from potential cyber threats, as stated by the Secretary of Commerce. This decision, effective on September 29, 2024, prohibits the Russian-based cybersecurity firm from offering its services directly or indirectly to U.S. persons and businesses. The Department of Commerce’s Bureau of Industry and Security (BIS) has detailed this final determination, which also prevents Kaspersky from delivering software updates to its current U.S. customers, urging them to transition to alternative security solutions by the deadline. This unprecedented action stems from longstanding concerns over Kaspersky's alleged ties with the Russian government and its potential to exploit the company's operations for collecting sensitive U.S. information or conducting cyber espionage. The U.S. government's apprehensions have been fueled by instances like Kaspersky's acquisition of secret security tools linked to the NSA, raising fears of the Russian FSB or insiders within Kaspersky using the company's antivirus as a global scanning tool for sensitive files. In response to the ban, Kaspersky has expressed intentions to challenge the decision, arguing that the measures are based on geopolitical tensions and theoretical risks rather than an objective assessment of its products and services. The company has consistently denied any wrongdoing or connections with any government that would compromise U.S. national security. The prohibition also includes adding Kaspersky Lab and its associated entities to the Entity List for alleged cooperation with Russian military and intelligence efforts, further restricting their operations within the U.S. market. Despite this, Kaspersky vows to continue protecting global customers from cyber threats, emphasizing its commitment to cybersecurity and international cooperation in combating cybercrime. The US Department of the Treasury’s Office of Foreign Assets Control (OFAC) also imposed additional sanctions against a dozen executives and senior leaders at Kaspersky Lab. CTIX analysts recommend all Kaspersky users begin identifying replacement solutions for their products as soon as possible. For guidance and services on security best practices or heightening security posture, please feel free to contact ctix@ankura.com.
- The Hacker News: Kaspersky Article
- The Record: Kaspersky Article
- Bleeping Computer: Kaspersky Article
- The Hacker News: Kaspersky Executives Article
Vulnerabilities
Phoenix UEFI Vulnerability Affecting Intel Chips Impacts Hundreds of Devices
A newly discovered vulnerability in Phoenix SecureCore UEFI firmware, dubbed “UEFICANHAZBUFFEROVERFLOW”, poses a significant security threat to a wide range of Intel CPUs, including Alder Lake, Coffee Lake, and Kaby Lake. This flaw, tracked as CVE-2024-0762, is a buffer overflow found in the firmware's Trusted Platform Module (TPM) configuration that can be exploited to perform remote code execution (RCE) on affected devices. Initially identified in Lenovo's ThinkPad X1 Carbon 7th Gen and X1 Yoga 4th Gen devices, it was later confirmed to affect numerous Intel chip families, potentially impacting hundreds of models from vendors like Lenovo, Dell, Acer, and HP. Despite TPM's role in enhancing security, the vulnerability lies in the System Management Mode (SMM) subsystem, allowing attackers to overwrite memory and escalate their local privileges, potentially granting them the ability to install bootkit malware. Eclypsium coordinated with Phoenix and Lenovo to address the issue, leading to newly released firmware, though updates for all models are still pending. Phoenix Technologies and Lenovo have urged users to update their firmware promptly to mitigate any risks. This flaw, similar in severity to past UEFI exploits like BlackLotus and MosaicRegressor, highlights the critical nature of UEFI vulnerabilities, which can provide undetectable, privileged backdoor access to systems. At this time, CTIX analysts urge all users of the Eclypsium Platform to scan their devices using the latest available version to identify any vulnerable devices. Technical details can be found in the Eclypsium report linked below.
The semi-weekly Ankura Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence about current or emerging cyber events. The preceding is a collection of cyber threat intelligence leads assembled over the past few days and typically includes high-level intelligence about recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to reach out to the CTIX Team (ctix@ankura.com) if additional context is needed.
© Copyright 2024. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice
