This browser is not actively supported anymore. For the best passle experience, we strongly recommend you upgrade your browser.
Subscribe

Social Media Links

| 4 minute read

Ankura CTIX FLASH Update - August 16, 2024

Malware Activity

 

New EDR-killing Utility Deployed with Ransomhub Ransomware

Researchers at Sophos have recently encountered a new malware developed to terminate EDR (Endpoint Detection and Response) processes in an attack using Ransomhub ransomware. Sophos has termed the new utility “EDRKillShifter”, and believes the tool is being used by multiple threat actors. EDRKillShifter is a loader executable: a delivery mechanism for a legitimate driver vulnerable to abuse (“bring your own vulnerable driver”, BYOVD). EDRKillShifter is first executed via command line with a password string, decrypting and executing a BIN resource in memory. The BIN code then unpacks and executes the final payload, which is written in Go and can exploit one of many different vulnerable drivers to gain privileges to unhook the EDR protection. Sophos observed different variants of EDRKillShifter which relied on two (2) different legitimate yet vulnerable drivers for privilege escalation. Both of these drivers have exploitation proof-of-concepts (PoC) available via Github, and the researchers believe that portions of the PoC code have been used in EDRKillShifter. The malware’s binary language property is Russian, indicating that the author behind the tool compiled the executable on a computer with Russian localization settings. The ultimate goal of EDRKillShifter is to disable prevention and detection mechanisms prior to the attacker launching a ransomware payload. Sophos recommends organizations confirm whether their endpoint security product has tamper protection enabled, keep systems updated, and practice strong hygiene for Windows security roles. Separation between user and administrative privileges can help prevent attackers from easily loading drivers. CTIX analysts will continue to report on new and emerging forms of malware and associated campaigns. 

 

Threat Actor Activity

 

FBI Dismantles Ransomware Infrastructure in Joint Law Enforcement Operation 

The FBI, in collaboration with international law enforcement agencies, has successfully dismantled the infrastructure of the Radar/Dispossessor ransomware operation. This joint operation, involving the U.K.'s National Crime Agency, Germany's Bamberg Public Prosecutor's Office, and the Bavarian State Criminal Police Office, led to the seizure of multiple servers and domains in the U.S., U.K., and Germany. The operation marked a significant disruption of a ransomware group believed to have been established by former affiliates of the notorious LockBit ransomware enterprise. The FBI announced the takedown of three (3) U.S. servers, three (3) U.K. servers, eighteen (18) German servers, and nine (9) domains which were part of the Radar/Dispossessor's operational network. The Radar/Dispossessor group emerged in August 2023, quickly developing into a significant ransomware threat. The group is believed to be led by an individual known as "Brain" and has targeted small to mid-sized businesses across various sectors including education, healthcare, financial services, and transportation. The ransomware gang operates on a ransomware-as-a-service (RaaS) model, using dual extortion tactics where they exfiltrate data before encrypting systems to maximize their leverage over victims. The FBI identified forty-three (43) victims of the Radar/Dispossessor attacks, spanning multiple countries including the U.S., Argentina, Australia, Belgium, Brazil, Canada, Croatia, Germany, Honduras, India, Peru, Poland, the U.A.E., and the U.K. The group's attack methodology involves exploiting security vulnerabilities, weak passwords, and lack of multi-factor authentication (MFA) to breach networks, steal data, and deploy ransomware. Cybersecurity experts have noted that Radar/Dispossessor's leak site and operational methods bear striking similarities to LockBit, suggesting a possible rebranding or leveraging of LockBit's infrastructure. The takedown of Radar/Dispossessor is part of a broader effort by global law enforcement to combat the growing threat of ransomware, which has seen a rise in attacks facilitated by vulnerabilities and weak security measures in targeted organizations. 

 

Vulnerabilities

 

Researchers Identify Multiple Vulnerabilities in GitHub Actions Opening the Attack Vector Dubbed “ArtiPACKED”

Researchers have identified critical security vulnerabilities in GitHub Actions, where a newly discovered attack vector, tracked as "ArtiPACKED", and other associated risks could jeopardize the integrity of numerous high-profile open-source projects from major companies like Google, Microsoft, AWS, Red Hat, and others. These projects were found to be leaking GitHub authentication tokens, such as “GITHUB_TOKEN” and “ACTIONS_RUNTIME_TOKEN”, through CI/CD workflows due to a combination of insecure default settings, user misconfigurations, and inadequate security checks. The leaks present a severe threat, as attackers with access to these tokens could gain unauthorized entry to private repositories, manipulate or inject malicious code into the repository, and even infiltrate cloud environments. The vulnerability is exacerbated by the exposure of an undocumented environment variable which could allow attackers to substitute legitimate artifacts with malicious versions, potentially leading to remote code execution (RCE). This exploitation is possible by using race condition scenarios to steal and use tokens. GitHub has categorized the issue as informational and has not implemented a direct fix, instead placing the responsibility on users to secure their artifacts. This has prompted cybersecurity experts to stress the importance of organizations and developers reevaluating their CI/CD pipeline configurations, avoiding the inclusion of entire directories in artifacts, sanitizing logs, and setting token permissions to the least privilege necessary. These measures are essential to mitigate the risks and prevent future token leaks that could lead to severe security breaches. 

 

The semi-weekly Ankura Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence about current or emerging cyber events. The preceding is a collection of cyber threat intelligence leads assembled over the past few days and typically includes high-level intelligence about recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to reach out to the CTIX Team (ctix@ankura.com) if additional context is needed.

© Copyright 2024. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice

Tags

report, cybersecurity & data privacy, data & technology, cyber response, data privacy & cyber risk

Let’s Connect

We solve problems by operating as one firm to deliver for our clients. Where others advise, we solve. Where others consult, we partner.

I’m interested in

I need help with