Ransomware/Malware Activity
MacroPack Red Teaming Tool Abused by Threat Actors Globally
Content Researchers have discovered that MacroPack – an attacker emulation software – is being abused by multiple cyber threat actors. MacroPack is a proprietary tool leveraged by red and purple teams to test prevention and detection mechanisms. Security researchers discovered its use for nefarious purposes by analyzing document submissions made to VirusTotal from around the globe. Submissions from the United States, China, Russia, and Pakistan indicate that MacroPack had been used to craft malicious VBA code delivered via Microsoft Office documents to spread final malware payloads such as Havoc, Brute Ratel, and PhantomCore. The documents analyzed all contained VBA subroutines embedded in the documents which indicate they had been created using MacroPack. Researchers believe that multiple different threat actors are behind these campaigns given the variation of lures and targets related to the identified documents. MacroPack includes advanced features that threat actors can abuse, such as anti-malware bypass techniques, code obfuscation, and undetectable VB scripts. Once a victim opens an infected document, MacroPack decodes a shellcode stage which then kicks off a DLL payload that connects to a command-and-control (C2) server. Final payloads observed include post-exploitation C2 tools such as Havoc and Brute Ratel and Remote Access Trojan (RAT) Phantom Core. Brute Ratel is a post-exploitation attack framework much like Cobalt Strike. CTIX analysts recommend that organizations utilize Endpoint Detection and Response (EDR) and Next-Generation Anti-Virus (NGAV) to prevent and detect these types of threats, and to ensure the Indicators of Compromise (IOCs) related these campaigns are blocked. CTIX analysts will continue to report on new and emerging forms of malware and associated campaigns.
Threat Actor Activity
North Korea's Continued Social Engineering Campaigns Target Crypto Industry
The FBI has issued a warning about North Korean hacking groups aggressively targeting cryptocurrency companies and their employees through sophisticated social engineering attacks aimed at stealing crypto assets. These state-sponsored groups, including the notorious Lazarus Group, Kimsuky, and others, have stolen an estimated $3 billion in cryptocurrency since 2017. Recent campaigns have focused on cryptocurrency exchange-traded funds (ETFs) and related financial products, deploying meticulously planned attacks that involve extensive pre-operational research and the use of social engineering techniques to gain unauthorized access to networks. The attackers identify specific DeFi (decentralized finance) and cryptocurrency businesses and target their employees, often posing as recruiters or offering investment opportunities. They use fluent English and detailed personal information to enhance credibility. The FBI highlights that these malicious actors also employ stolen images and professionally crafted websites to appear more legitimate. Indicators of suspicious activity, as noted in the FBI’s public service announcement, include requests to use non-standard software and unusual communication patterns. The FBI has provided guidelines for cryptocurrency companies and their employees to mitigate these risks. The Bureau has also warned of related scams, such as fake remote job ads and unlicensed cryptocurrency transfer services, which can result in significant financial losses. Despite the sophisticated technical judgement of DeFi and cryptocurrency firms, they still remain vulnerable to these highly tailored social engineering campaigns. North Korean hackers have been linked to several high-profile crypto heists, including the theft of $620 million from Axie Infinity's Ronin network bridge, the largest crypto hack to-date. The FBI's alert underscores the persistent threat posed by North Korean cyber actors to companies handling large quantities of cryptocurrency assets.
Vulnerabilities
Cisco Patches Critical Vulnerability in its Identity Services Engine (ISE) Solution
Cisco has recently patched a critical command injection vulnerability in its Identity Services Engine (ISE), a network access control solution widely used in enterprise environments. This vulnerability, tracked as CVE-2024-20469, allows attackers with existing administrator privileges to escalate their access to root, granting them full control over the system. The issue stems from inadequate validation of user-supplied input in certain CLI commands, which local attackers can exploit by submitting malicious commands. This flaw is considered low complexity, requiring no user interaction, making it particularly concerning. Although Cisco has released the necessary security updates, proof-of-concept (PoC) exploit code is already available to the public, raising the potential risk of future exploitation. Fortunately, Cisco has not observed any evidence of attackers actively exploiting this vulnerability in the wild. In addition to this critical patch, Cisco warned of a backdoor account in its Smart Licensing Utility Windows software, which has also been addressed. This backdoor could have allowed attackers to log into unpatched systems with administrative privileges. The patch for CVE-2024-20469 follows a series of other critical security updates from Cisco, including fixes for an Integrated Management Controller (IMC) vulnerability (CVE-2024-20295) and a vulnerability in its Security Email Gateway (SEG) appliances (CVE-2024-20401), both of which also allowed for privilege escalation and could be exploited to crash systems or add rogue users. CTIX analysts urge users to install the updates immediately to secure their systems from potential exploitation.
The semi-weekly Ankura Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence about current or emerging cyber events. The preceding is a collection of cyber threat intelligence leads assembled over the past few days and typically includes high-level intelligence about recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to reach out to the CTIX Team (ctix@ankura.com) if additional context is needed.
© Copyright 2024. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice