Malware Activity
Magniber Ransomware Targets Home Users Worldwide
BleepingComputer has reported on a recent uptick in ransomware attacks targeting home users with Magniber ransomware. Magniber ransomware was first launched in 2017, and the operation has ebbed and flowed since then. Historically, Magniber ransomware has been spread through various means such as Windows zero-days and fake Windows and browser updates. In 2018, AhnLab released a decryptor for the ransomware which unfortunately no longer works against later versions of Magniber. As of July 20, 2024, BleepingComputer has observed what they are calling a surge in Magniber ransomware victims seeking help in their forums. It is currently unclear how recent victims are being infected, however some victims have reported running software cracks or key generators prior to the Magniber encryption. Once encrypted, files are appended with a random character extension and a ransom note named “READ_ME.htm” is created on the victim’s machine. The ransom note instructs victims to download the Tor browser and provides a link to the threat actor’s dark web site. The dark web site then provides users with instructions on making payment to the threat actor via Bitcoin for the decryption key, which is priced at $1,000 for the first three days and $5,000 after that deadline. There is currently no known working decryptor for the Magniber ransomware. BleepingComputer warns users against downloading and running software cracks and key generators. CTIX analysts will continue to report on new and emerging forms of malware and associated campaigns.
Threat Actor Activity
Long Standing Chinese Hackers Linked to 2023 ISP Breach
Evasive Panda, also known as StormBamboo, Daggerfly, and Bronze Highland, is a China-linked cyber espionage group that has been active since at least 2012. This sophisticated threat actor has been implicated in various high-profile cyberattacks, targeting organizations across mainland China, Hong Kong, Macao, Nigeria, and several Southeast and East Asian countries. Recent investigations by multiple cybersecurity firms have highlighted the group's advanced tactics and persistent efforts to compromise targets. In mid-2023, Evasive Panda was found to have compromised an undisclosed internet service provider (ISP) to poison software update mechanisms and distribute malware to target systems. The group exploited insecure HTTP update channels that lacked proper digital signature validation, enabling them to inject malicious payloads into automatic software updates for Windows and macOS devices. This method allowed the attackers to intercept and modify DNS requests, redirecting them to their command-and-control (C2) servers without requiring user interaction. Evasive Panda's malware arsenal includes various sophisticated tools designed for extensive cyber espionage activities. These include the MgBot malware, a long-standing tool used by the group that has been observed in various campaigns, including targeting Tibetan users and international non-governmental organizations (NGOs) in mainland China. These attacks often involved supply chain compromises or adversary-in-the-middle (AITM) tactics, further underscoring the group's capability and sophistication. Evasive Panda also uses MACMA, their macOS-specific malware strain. The group has also deployed malicious Google Chrome extensions, such as ReloadText, to steal browser cookies and mail data. Cybersecurity firm Volexity has worked with an affected ISP to identify and disable key traffic-routing devices, effectively stopping the DNS poisoning. However, the group's persistence and adaptability continue to pose significant challenges to cybersecurity defenses. Evasive Panda's activities highlight the importance of securing software update mechanisms and validating digital signatures to prevent similar attacks. The group's ability to leverage sophisticated techniques and a diverse malware toolkit makes them a formidable adversary in the realm of cyber espionage. CTIX analysts will continue to stay vigilant of emerging threat actors and adversarial activities that pose serious risks.
- Bleeping Computer: Evasive Panda Article
- The Record: Evasive Panda Article
- The Hacker News: Evasive Panda Article
Vulnerabilities
Apache Releases Patches for New OFBiz Vulnerability and Warns of the Active Exploitation of Another
Organizations using Apache OFBiz are being urged to address a critical vulnerability affecting versions through 18.12.14, with a fix in version 18.12.15. This vulnerability, recently tracked as CVE-2024-38856, stems from unauthenticated endpoints allowing screen-rendering code execution under specific conditions, primarily when screen definitions do not check user permissions. SonicWall researchers, who identified the vulnerability, attributed it to an authentication mechanism issue, enabling unauthenticated remote code execution RCE. Although no attacks exploiting CVE-2024-38856 have been reported, another vulnerability, CVE-2024-32113, discovered in May, has been actively targeted. This path traversal bug can also lead to remote execution of arbitrary code, with increasing exploitation attempts reported in late July, potentially involving Mirai botnet variants. Apache OFBiz, a free ERP framework used by several major companies, mainly in the US, India, and Europe, underscores the critical need for users to upgrade to version 18.12.15 to safeguard sensitive business data and maintain system security. CTIX analysts urge administrators to ensure that they are keeping their Apache instances up-to-date with the most recent patches to prevent future exploitation.
The semi-weekly Ankura Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence about current or emerging cyber events. The preceding is a collection of cyber threat intelligence leads assembled over the past few days and typically includes high-level intelligence about recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to reach out to the CTIX Team (ctix@ankura.com) if additional context is needed.
© Copyright 2024. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice
