Ransomware/Malware Activity
Cicada3301 Ransomware: An Evolution of BlackCat?
Cicada3301 ransomware is attacking companies in North America and Europe with a sophisticated form of ransomware resembling BlackCat. Cicada3301 is a ransomware-as-a-service (RaaS) operation which emerged in June 2024, shortly after the ALPHV/BlackCat ransomware group performed an exit scam in March 2024 after stealing a $22 million ransom from one of their affiliates. Cybersecurity researchers believe that Cicada3301 may be an offshoot of the BlackCat group based on the similarities in techniques between the two (2) threat actors. Both forms of ransomware are written in Rust, use the encryption algorithm, perform identical virtual machine (VM) shutdown and snapshot-wiping commands, use intermittent encryption on larger files, and use the same file naming convention and ransom note decryption method. Cicada3301’s ransomware includes both Windows and Linux/VMware ESXi encryptors. Cicada3031 is also distinguished from BlackCat’s ransomware in many ways: its encryption process is more customizable, it uses stolen credentials on the fly to automatically feed into psexec for privilege escalation and lateral movement, and it is delivered behind an EDR-bypassing tool “EDRSandBlast”. In addition, the threat actors behind Cicada3301 have been improving obfuscation capabilities so that the malware evades detection by antivirus and security products. Similar to BlackCat, Cicada3301 ransomware appends encrypted files on victim machines with a random seven-character extension and leaves a ransom note named “RECOVER-[extension]-DATA.txt”. According to Cicada3301’s leak site, they have compromised 21 companies in the past few months. The threat group’s victims have been concentrated in North America and Europe, and the majority have been small businesses. CTIX analysts will continue to report on new and emerging forms of malware and associated campaigns.
- Bleeping Computer: Linux Version of New Cicada Ransomware
- Dark Reading: BlackCat Spinoff Uses Stolen Creds on the Fly, Skirts EDR
Threat Actor Activity
North Korean-linked Citrine Sleet Exploiting Chromium Zero-Day
A recently patched zero-day vulnerability in Google Chrome (CVE-2024-7971) has been exploited by North Korean-linked threat actors in a campaign targeting the cryptocurrency industry. The threat actor, identified as Citrine Sleet (also known as AppleJeus, Labyrinth Chollima, and UNC4736), is linked to North Korea’s Reconnaissance General Bureau and is considered a subgroup within the notorious Lazarus Group. This campaign, detected on August 19, 2024, involved sophisticated social engineering techniques, including the creation of fake websites mimicking legitimate cryptocurrency trading platforms. These sites lured victims into downloading malicious crypto wallets or trading apps, which facilitated the theft of digital assets. The zero-day exploit in question, CVE-2024-7971, is a high-severity type confusion vulnerability in the V8 JavaScript engine used by Chromium-based browsers. The exploitation of this flaw enabled remote code execution (RCE) within the sandboxed Chromium renderer process. Victims were typically directed to a malicious website (voyagorclub[.]space) where the exploit was triggered. Upon successful exploitation, the attackers deployed shellcode containing a Windows sandbox escape exploit (CVE-2024-38106) and the FudModule rootkit. This rootkit allows attackers to gain SYSTEM privileges, perform direct kernel object manipulation, and maintain persistent access to compromised systems. The FudModule rootkit has been in use since 2021 and is shared among various North Korean hacking groups, including Diamond Sleet and BlueNoroff. This zero-day exploit chain is part of a broader strategy by North Korean actors to target financial institutions and cryptocurrency firms for financial gain. The Citrine Sleet group has previously used similar tactics, such as fake job applications and weaponized software, to compromise their targets. This activity aligns with North Korea’s broader objective of generating revenue through cyber operations, having reportedly netted $3 billion from cryptocurrency attacks between 2017 and 2023. The U.S. government has added CVE-2024-7971 to its catalog of known exploited vulnerabilities, mandating federal agencies to patch the flaw by September 16, 2024.
- The Hacker News: Citrine Sleet Article
- Bleeping Computer: Citrine Sleet Article
- The Record: Citrine Sleet Article
Vulnerabilities
Multiple Vulnerabilities Identified in Microsoft Applications for macOS
Eight (8) security vulnerabilities have been identified in several Microsoft applications for macOS, presenting a potential risk that attackers could exploit to gain elevated privileges or unauthorized access to sensitive data. These vulnerabilities allow malicious actors to bypass the macOS permissions-based model, which relies on Apple's Transparency, Consent, and Control (TCC) framework. This framework is designed to give users visibility and control over how their data is accessed by different applications, ensuring that only approved applications can access specific types of data. The affected applications include widely used programs such as Outlook, Teams, Word, Excel, PowerPoint, and OneNote. The vulnerabilities stem from the ability to inject malicious libraries into these applications, which can then inherit the applications’ entitlements and permissions. This could allow an attacker to send emails from a user’s account, record audio, take photos, or capture videos without the user’s awareness or interaction. If successfully exploited, a trusted application could act as a proxy, allowing the attacker to perform actions that would normally require explicit user consent. It’s important to note that for these attacks to be successful, the attacker must already have gained initial access to the target system. Microsoft has implemented fixes in its OneNote and Teams applications to mitigate the potential risks. The broader challenge of securely handling plugins within macOS remains, with options like notarization of third-party plugins being a possible solution. This would require either Microsoft or Apple to sign third-party modules after verifying their security, adding an extra layer of protection against such exploits.
The semi-weekly Ankura Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence about current or emerging cyber events. The preceding is a collection of cyber threat intelligence leads assembled over the past few days and typically includes high-level intelligence about recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to reach out to the CTIX Team (ctix@ankura.com) if additional context is needed.
© Copyright 2024. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice