Malware Activity
Malware Locks Browser in Kiosk Mode, Frustrating User into Entering Credentials
A recent malware campaign has been identified that traps users in their browser's kiosk mode on Google's login page, compelling them to enter their Google credentials out of annoyance. The malware locks the browser, disabling the "ESC" and "F11" keys, which prevents users from easily exiting kiosk mode. Kiosk mode is a specialized setting in web browsers or apps that allows them to operate in full-screen mode without standard user interface elements such as toolbars, address bars, or navigation buttons. This mode is intended to restrict user interactions to specific functions, making it perfect for public kiosks. However, in the case of this attack, kiosk mode is misused to confine user actions to the Google login page, presenting the sole option of entering account credentials This tactic aims to frustrate users into entering their credentials and "unlocking" the computer, which are then stolen by the StealC information-stealing malware. This attack method has been active since at least August 22, 2024, and is mainly utilized by Amadey, a malware loader known for information theft and system reconnaissance. Amadey deploys an AutoIt script that scans for available browsers and launches one in kiosk mode directed to Google's change password page. This creates an opportunity for users to reenter and save their credentials, which StealC subsequently steals. If users find themselves trapped in kiosk mode, they should avoid entering any sensitive information and try alternative hotkeys like 'Alt + F4' or 'Ctrl + Shift + Esc' to exit the browser. If these methods fail, performing a hard reset and running a full antivirus scan in Safe Mode is recommended to remove the malware.
Threat Actor Activity
RansomHub Claims Another Victim, Publishing Kawasaki's Stolen Data
Kawasaki Motors Europe is recovering from a recent cyberattack attributed to the RansomHub ransomware gang, which has claimed to have stolen four hundred and eighty-seven (487) gigabytes of data from the company. The attack, which occurred in early September 2024, led to the temporary isolation of Kawasaki's servers as a precautionary measure. The company's IT department, in collaboration with external cybersecurity experts, spent the following week meticulously checking each server for any suspicious material such as malware before reconnecting them back to the corporate network. Thus far, Kawasaki Motors Europe has restored over 90% of its server functionality, ensuring that operations involving motor vehicle dealers, third-party suppliers, and logistics are not significantly impacted. The company, which reported over $3 billion in earnings last quarter, is a major player in the motor vehicle industry, manufacturing motorcycles, utility vehicles, and other motorized products. The cyberattack has drawn further attention to RansomHub, a ransomware gang that has emerged as a significant threat following the dissolution of earlier gangs like LockBit and AlphV. RansomHub has been linked to at least two hundred and ten (210) ransomware attacks on various organizations since launching in February 2024, according to the FBI and other law enforcement agencies. Notable recent victims include Rite Aid, Frontier, Planned Parenthood, Halliburton, and Christie’s. The group's tactic involves adding victims to its extortion portal on the dark web, with a timer set to publish stolen data if ransom demands are not met. The timer for Kawasaki was set to expire on Saturday, September 14, 2024. CTIX analysts’ own research found that Kawasaki’s data has indeed been published on the RansomHub leak site. Despite the severity of the attack, Kawasaki has not publicly commented on whether customer data was included in the stolen files. The company has also not responded to media inquiries about the incident.
Vulnerabilities
Critical Ivanti Vulnerability Under Active Exploitation by Threat Actors
Ivanti has disclosed that a high-severity vulnerability in its Cloud Service Appliance (CSA) is actively being exploited in attacks, prompting action from both the company and federal agencies. The vulnerability, tracked as CVE-2024-8190, allows for remote code execution (RCE) by attackers with administrative privileges and impacts CSA version 4.6, which has reached its end-of-life status. Ivanti has released a patch (CSA 4.6 Patch 519), but strongly advises customers to upgrade to the supported CSA version 5.0, which is not affected by this vulnerability and continues to receive updates. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the flaw to its Known Exploited Vulnerabilities (KEV) catalog, mandating that federal agencies secure vulnerable systems by no later than October 4, 2024. Ivanti also noted that configurations following best practices, such as dual-homed CSA setups, are at a lower risk of exploitation. In addition to addressing this vulnerability, Ivanti has also patched other critical flaws, including a maximum-severity issue in its Endpoint Management software (EPM). The company has ramped up internal scanning, testing, and responsible vulnerability disclosure practices to improve its security response. With its products widely used by over 40,000 companies, including federal agencies, the urgency for upgrading and securing these systems is crucial to prevent further exploitation. CTIX analysts recommend that all administrators responsible for instances of Ivanti Cloud CSA ensure that their platforms are safeguarded against these flaws by patching and following best security practices.
- Bleeping Computer: CVE-2024-8190 Article
- The Record: CVE-2024-8190 Article
- The Hacker News: CVE-2024-8190 Article
The semi-weekly Ankura Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence pertaining to current or emerging cyber events. The preceding is a collection of cyber threat intelligence leads assembled over the past few days and typically includes high-level intelligence pertaining to recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to reach out to the CTIX Team (ctix@ankura.com) if additional context is needed.
© Copyright 2024. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.
