Ransomware/Malware Activity
New Splinter Post-Exploitation Red Team Tool Abused by Attackers
Cybersecurity researchers have recently discovered a new red-teaming tool – “Splinter”- lurking on compromised systems post-incident. Splinter is similar to the well-known post-exploitation tool Cobalt Strike, but less advanced. Researchers dub the tool “Splinter” based on the internal project name spotted in a debugging artifact in its code. It is not yet known who developed Splinter or which threat groups have been attributed to its misuse. Splinter is developed in Rust, and its samples are very large due to the number of external libraries the file uses. Splinter uses a JSON format for its configuration data which contains the implant and targeted endpoint identifiers as well as the command-and-control (C2) server details. Splinter connects to its C2 server over HTTPS. Splinter’s capabilities include running Windows commands, remote process injection, file uploads and downloads, information harvesting, and self-destructing. Splinter is a red team tool, which when used as intended provides adversary simulation frameworks that allow organizations to test and improve their defenses. CTIX analysts reported earlier this month on another red team tool “MacroPack” that is being used by threat actors to escalate privileges and download malware on victim machines. These two developments this month indicate that threat actors are using different post-exploitation tools likely in the attempt to evade detection as Cobalt Strike has notoriously been used by threat actors for malicious purposes. CTIX analysts will continue to report on new and emerging forms of malware and associated campaigns.
Threat Actor Activity
Iranian APT UNC1860 Gaining Initial Access to Many Middle Eastern Organizations
A sophisticated cyber operation within Iran's Ministry of Intelligence and Security (MOIS) has been identified as a significant initial access broker for other Iranian hackers, providing persistent entry into telecommunications and government organizations across the Middle East. This Iranian APT, UNC1860, has been active since at least 2020 and has developed a collection of specialized tools and passive backdoors that support other Iranian hacking activities, including espionage and network attack operations. The FBI just recently reported that the group of Iranian hackers who attempted to steal and disseminate documents from former President Donald Trump's campaign are likely associated with UNC1860. UNC1860's tools are designed to evade antivirus software, maintaining long-term, stealthy access to compromised systems. These tools have been utilized by other MOIS-affiliated groups, such as APT34, and have been linked to destructive cyber operations, including attacks on Israel in 2023 and Albania in 2022. The group's arsenal includes various malware controllers like TEMPLEPLAY and VIROGREEN, which provide remote access and facilitate post-exploitation activities within target networks. The tools and techniques employed by UNC1860 include a range of backdoors and loaders, such as OATBOAT, TOFUDRV, TOFULOAD, and TEMPLELOCK, which facilitate initial access, lateral movement, and information gathering within victim networks. These tools highlight the group's capability to maintain persistent access and conduct extensive reconnaissance without detection. The increasing sophistication and boldness of Iranian cyber operations have drawn significant attention from security researchers and government agencies. As tensions continue rising in the Middle East, UNC1860's ability to gain and maintain access to high-priority networks is considered a valuable asset for Iran's cyber ecosystem, capable of adapting to evolving objectives.
Vulnerabilities
Critical Stack-Based Overflow Flaw Found in Microchip Advanced Software Framework (ASF) "tinydhcp" Server
A critical vulnerability has been identified in Microchip's Advanced Software Framework (ASF), which could allow for remote code execution (RCE) facilitated by a stack-based overflow in the implementation of the “tinydhcp” server. This flaw, tracked as CVE-2024-7490, stems from inadequate input validation of DHCP requests, carrying a high CVSS score of 9.5/10 and affecting ASF version 3.52.0.2574 and earlier versions. The CERT Coordination Center (CERT/CC) at Carnegie Mellon University issued an advisory warning that the vulnerability could be widely present in IoT devices due to its nature. The vulnerability remains unpatched, and CERT/CC recommends replacing the tinydhcp service to mitigate the risk, as the affected ASF version is no longer supported. Additionally, forks tinydhcp projects on GitHub could be similarly impacted. The disclosure of this flaw aligns with another serious vulnerability in MediaTek Wi-Fi chipsets (CVE-2024-20017), which also allows for RCE. Although MediaTek released a patch in March 2024, the risk of exploitation has increased following the release of a proof-of-concept (PoC) exploit in August 2024. Both vulnerabilities highlight significant security concerns in IoT and networking technologies. CTIX analysts urge all affected users to follow the CERT/CC guidance and replace the tinydhcp service with another one that is not vulnerable to this exploit.
The semi-weekly Ankura Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence pertaining to current or emerging cyber events. The preceding is a collection of cyber threat intelligence leads assembled over the past few days and typically includes high-level intelligence pertaining to recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to reach out to the CTIX Team (ctix@ankura.com) if additional context is needed.
© Copyright 2024. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.
