This browser is not actively supported anymore. For the best passle experience, we strongly recommend you upgrade your browser.
Subscribe

Social Media Links

| 4 minute read

Ankura CTIX FLASH Update - August 13, 2024

Ransomware/Malware Activity

 

New Malware Campaign Impacts at Least 300,000 Users with Malicious Browser Extensions

Researchers at ReasonLabs have recently reported on a relatively new malware campaign which aims to steal victim’s data via malicious browser extensions. Researchers have witnessed at least 300,000 users across Google Chrome and Microsoft Edge that have been infected. The trojan is distributed via fake websites impersonating trusted software including Roblox FPS Unlocker, YouTube, Steam, and VLC Player. The trojan installer registers a scheduled task which executes a PowerShell script that downloads and executes additional payloads. The malware modifies the Windows Registry to install malicious extensions on the Google Chrome Web Store and Microsoft Edge Add-ons. End users cannot disable the extension, and the malware can also turn off browser updates which would interfere with its persistence. The malicious extensions downloaded are capable of hijacking web search queries. Some forms of the malware also launch a local extension downloaded directly from the attacker command-and-control (C2) server which can intercept all web requests and inject scripts into all pages. In order to remove the malware, users must delete the scheduled task, remove registry keys, and delete all files associated with the malware. Researchers at ReasonLabs have reached out to Google and Microsoft regarding the malicious extensions to ensure the companies are aware of the issue. CTIX analysts will continue to report on new and emerging forms of malware and associated campaigns. 

 

Threat Actor Activity

 

Iranian Hacking Activities Aimed at Interfering and Influencing Upcoming US Election

Microsoft has reported an increase in Iranian cyber activities aimed at influencing the upcoming U.S. presidential election. The tech company’s findings suggest that Iranian hackers, linked to the Islamic Revolutionary Guard Corps (IRGC), have been attempting to breach campaign infrastructure and create disinformation campaigns. This activity aligns with warnings from U.S. intelligence officials about Tehran's intent to act as a "chaos agent" to incite violence and disrupt the electoral process. In one (1) instance, an IRGC-affiliated group sent a spear-phishing email to a high-ranking official of an unnamed presidential campaign. Another group breached a user account at a county-level government, which had minimal access permissions. Additionally, Iranian hackers have created fake news websites aimed at both conservative and liberal voters, using AI to mimic legitimate news sources. These efforts are designed to stir controversy and sway voter opinions, especially in swing states. The Trump campaign has claimed that foreign actors, specifically from Iran, are behind a recent hack targeting their operation. This claim follows Microsoft's report detailing the phishing attempt on a campaign official and other disinformation efforts. Trump's spokesperson, Steven Cheung, blamed the hack on "foreign sources hostile to the United States," and emphasized the threat posed by Iran. The Iranian government has denied any involvement, stating that they have no intention of interfering in U.S. elections. However, this isn't the first time Iran has been accused of meddling in U.S. elections. In 2020, Iranian-linked groups attempted to gain access to election infrastructure and influence voter behavior through disinformation campaigns. Two (2) Iranian nationals were charged by the U.S. Department of Justice for their roles in these efforts. The U.S. Treasury Department also sanctioned several individuals and entities connected to the interference. Rob Joyce, former Director of Cybersecurity at the NSA, highlighted the potential for a tumultuous election season, noting the early start of hack-and-leak operations. He pointed out that Iran, along with Russia and China, has a history of election interference. Joyce urged vigilance, suggesting that the 2024 election cycle could see heightened cyber activity aimed at disrupting the democratic process. CTIX Analysts will continue to cover Threat Actor activities and trends ahead of the upcoming U.S. presidential election.

 

Vulnerabilities

 

Vulnerabilities in Solarman and Deye Solar Systems May Threaten Global Energy Infrastructure

Recent cybersecurity research has revealed significant vulnerabilities in the photovoltaic (PV) system management platforms operated by the Chinese companies Solarman and Deye, which oversee a substantial portion of the world’s solar energy output. Bitdefender researchers discovered multiple security flaws in these platforms that could allow malicious actors to hijack solar inverters, manipulate account settings, and disrupt power generation. These vulnerabilities, which included authorization token manipulation, token reuse across platforms, and excessive data exposure, pose serious risks such as unauthorized control of inverter settings, voltage fluctuations, and potential blackouts. The flaws also open the door to privacy violations, information harvesting, and targeted phishing attacks. With these vulnerabilities, threat actors could compromise the integrity and stability of the global electricity grid, which relies increasingly on solar power integrated with IoT devices. Following responsible disclosure in May 2024, Solarman and Deye addressed these issues by July 2024. This situation underscores the critical need for robust cybersecurity measures to protect our evolving energy infrastructure from cyber threats as the integration of renewable energy sources and digital platforms continues to grow. CTIX will continue to report on critical vulnerabilities in future FLASH Update issues.

 

The semi-weekly Ankura Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence about current or emerging cyber events. The preceding is a collection of cyber threat intelligence leads assembled over the past few days and typically includes high-level intelligence about recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to reach out to the CTIX Team (ctix@ankura.com) if additional context is needed.

© Copyright 2024. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice

Tags

report, cybersecurity & data privacy, data & technology, cyber response, data privacy & cyber risk

Let’s Connect

We solve problems by operating as one firm to deliver for our clients. Where others advise, we solve. Where others consult, we partner.

I’m interested in

I need help with