Malware Activity
New SambaSpy Malware Targeting Italian Users in Phishing Campaign
A newly discovered malware dubbed SambaSpy is exclusively targeting Italian users through a phishing campaign led by a suspected Brazilian Portuguese-speaking threat actor. The attack begins with phishing emails containing HTML attachments or embedded links that initiate the malware infection process. The HTML attachment opens a ZIP archive that deploys a downloader or dropper to launch the remote access trojan (RAT) payload. SambaSpy's infection chain is elaborate, redirecting users to either legitimate invoices or malicious web servers based on specific criteria such as browser type and language settings. Users meeting these criteria are served a malicious JAR file from MediaFire, leading to the deployment of the RAT, which is capable of extensive remote-control functions such as file management, keylogging, webcam control, and more. The malware also steals credentials from various web browsers and can load additional plugins to enhance its capabilities. Evidence indicates that the threat actor may expand its operations to Brazil and Spain, reflecting a broader trend of Latin American cybercriminals targeting European countries with related languages. This development comes alongside a surge in banking trojan campaigns in Latin America, employing sophisticated phishing scams to steal sensitive banking credentials and execute unauthorized transactions. These campaigns utilize advanced evasion techniques, such as obfuscated PowerShell scripts and malicious ISO files, to avoid detection.
Threat Actor Activity
Vanilla Tempest Using INC Ransomware Against the US Healthcare Sector
A financially motivated threat actor named Vanilla Tempest (formerly known as DEV-0832 and Vice Society) has been identified deploying the INC ransomware strain in attacks on US healthcare organizations. This marks the first observed use of INC ransomware by Vanilla Tempest, which has a history of targeting sectors like education, healthcare, IT, and manufacturing with various ransomware strains, including BlackCat, Quantum Locker, Zeppelin, and Rhysida. Vanilla Tempest's recent attack involved gaining network access through the GootLoader malware downloader, introduced by the Storm-0494 threat actor. After initial access, the attackers deployed the Supper backdoor, AnyDesk remote monitoring tool, and MEGA data synchronization tool for persistence and data exfiltration. They used Remote Desktop Protocol (RDP) and the Windows Management Instrumentation (WMI) Provider Host for lateral movement before deploying the INC ransomware payload. The attack on the healthcare sector follows a pattern of ransomware groups like BianLian and Rhysida using Azure Storage Explorer and AzCopy to exfiltrate sensitive data to cloud storage, aiming to evade detection. In May 2024, a threat actor named "salfetka" attempted to sell the source code for INC ransomware’s Windows and Linux/ESXi versions for $300,000 on two (2) separate hacking forums. The same ransomware strain was linked to a cyberattack on Michigan's McLaren Health Care hospitals, causing significant disruptions to IT and phone systems and forcing the rescheduling of some medical procedures. Vanilla Tempest's activities, particularly in the healthcare sector, highlight the ongoing threat of growing ransomware attacks. CTIX analyst will continue to monitor emerging threat actor activity.
Vulnerabilities
GitLab Patches Critical SAML Authentication Bypass Vulnerability
GitLab has released crucial security updates to address a severe authentication bypass vulnerability that affects both its Community Edition (CE) and Enterprise Edition (EE) for self-managed installations. The flaw tracked as CVE-2024-45409 (CVSS score: 10/10), originates from improper validation within the OmniAuth-SAML and Ruby-SAML libraries, which are used to handle SAML-based authentication, a protocol allowing single sign-on (SSO) across multiple services. Specifically, the vulnerability allows an attacker to manipulate the SAML response from an identity provider (IdP) by crafting a malicious response that bypasses authentication, effectively granting unauthorized access to GitLab instances by tricking the system into recognizing the attacker as an authenticated user. The patches released by GitLab upgrade OmniAuth-SAML to version 2.2.1 and Ruby-SAML to 1.17.0, addressing the insufficient validation of key elements in SAML assertions, such as the "extern_uid" (external user ID). Although GitLab has not confirmed the active exploitation of this vulnerability in the wild, it has provided indicators of potential exploitation attempts. These signs include unusual or multiple "extern_uid" values in authentication logs, SAML-related log events, and errors such as "RubySaml::ValidationError". GitLab also advises monitoring for abnormal authentication activity, such as access attempts from unfamiliar IP addresses, which could indicate an attack. These updates come amid heightened security awareness, with the U.S. Cybersecurity and Infrastructure Security Agency (CISA) adding similar critical vulnerabilities, including one affecting Apache HugeGraph-Server, to its Known Exploited Vulnerabilities (KEV) catalog. This underscores the importance of timely patching to defend against emerging threats in the cybersecurity landscape. CTIX analysts strongly urge users running affected versions to upgrade immediately, particularly for self-managed installations, and emphasizes enabling two-factor authentication (2FA) for all accounts and disabling the SAML two-factor bypass option as temporary mitigations for those unable to update right away.
The semi-weekly Ankura Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence pertaining to current or emerging cyber events. The preceding is a collection of cyber threat intelligence leads assembled over the past few days and typically includes high-level intelligence pertaining to recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to reach out to the CTIX Team (ctix@ankura.com) if additional context is needed.
© Copyright 2024. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.
