Ransomware/Malware Activity
AI-Generated Malware Deployed in Phishing Attacks
Cybersecurity researchers have recently identified an email phishing campaign that deploys a malware dropper likely produced by a generative AI model. Cybercriminals have been known to use “Dark” AI to enhance their social engineering attacks, better articulating their pretext and eliminating tell-tale grammatical and spelling errors. CTIX analysts reported on the emergence of “Dark” AI this summer. Now it is evident that unsophisticated cybercriminals are leveraging generative AI tools trained for malicious intent to build malware, further lowering the barrier of entry into the cybercrime industry. Researchers at HP Wolf Security recently released their analysis of a phishing email with an invoice lure and encrypted HTML attachment. Once the HTML attachment is decrypted, a website opens and a VBScript runs that drops the AsyncRAT infostealer onto the victim machine. The VBScript writes various variables to the Windows Registry to establish persistence. A JavaScript file is also dropped into the user directory which is run by a scheduled task. The JavaScript executes a PowerShell script which makes use of the Registry variables and starts the malware payload after injecting it into a legitimate process. It is the VBScript and JavaScript files that researchers believe were likely created with the help of generative AI. For one, the scripts are very neatly structured with detailed and commented code. In addition, the scripts are written in French (which is not commonly the language used by malware architects). Sophisticated attackers do not comment their code, in fact they attempt to make their malware as difficult as possible to analyze through obfuscation and confusion. The infostealer payload, AsyncRAT, is a free and readily accessible malware that could be picked up and used by any novice cybercriminal. These circumstances reflect the high likelihood that the malware campaign was created by an unseasoned cybercriminal with the help of generative AI. CTIX analysts are keeping an eye out for any additional developments that would suggest generative AI is being used to generate malware payloads beyond just droppers. CTIX analysts will continue to report on new and emerging forms of malware and associated campaigns.
Threat Actor Activity
Chinese Hackers, Salt Typhoon, Infiltrating Deep Inside US Internet Service Providers
A newly discovered advanced persistent threat (APT) group, dubbed Salt Typhoon, has been implicated in a series of cyber espionage operations targeting U.S. internet service providers (ISPs). This group, believed to be backed by Beijing, has reportedly compromised several ISPs to establish a persistent presence within their networks. The ultimate aim is to gather sensitive information and potentially prepare for future disruptive cyberattacks. Salt Typhoon, also known as FamousSparrow and GhostEmperor, has a history of targeting high-profile entities in Southeast Asia and other regions. The attacks are part of a broader pattern of Chinese state-sponsored efforts to infiltrate critical infrastructure. Investigators are examining whether the intruders accessed Cisco Systems routers, which are crucial for internet traffic routing. This campaign follows a series of similar intrusions by other Chinese APT groups, such as Flax Typhoon and Volt Typhoon, known for targeting U.S. critical infrastructure, government, and military networks. These groups have been linked to extensive cyber espionage and data theft operations. Salt Typhoon's recent activities highlight China's strategic priorities, including reconnaissance and pre-positioning for potential military conflicts. By compromising ISPs, the group could monitor high-value targets, including federal agencies, military contractors, and Fortune 100 companies. This capability aligns with China's broader goals of controlling regional assets and preparing for possible conflicts, such as over Taiwan. The U.S. government and cybersecurity agencies are actively responding to these threats. Recent actions include the disruption of a 260,000-device botnet controlled by Flax Typhoon and heightened warnings about ongoing Chinese cyber campaigns. CTIX analysts advise organizations to review the latest advisories and implement stringent security practices to protect against these sophisticated cyber threats.
- The Hacker News: Salt Typhoon Article
- Dark Reading: Salt Typhoon Article
- The Register: Salt Typhoon Article
Vulnerabilities
CISA adds Critical Ivanti Virtual Traffic Manager Flaw to its Known Exploited Vulnerabilities Catalog
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has flagged a critical vulnerability in Ivanti’s Virtual Traffic Manager (vTM) as under active exploitation and added it to its Known Exploited Vulnerabilities (KEV) catalog. This flaw, tracked as CVE-2024-7593, has a CVSS score of 9.8/10, and is due to an incorrect implementation of the authentication algorithm, allowing remote attackers to bypass authentication on Internet-exposed vTM admin panels and create rogue administrator accounts. Although Ivanti released patches in March and May 2024 to address this vulnerability, the company has confirmed that proof-of-concept (PoC) exploit code is publicly available. While Ivanti is unaware of active exploitation at the time of disclosure, it urges users to update their systems and restrict access to the management interface by binding it to private networks or trusted IPs. CISA has mandated that Federal Civilian Executive Branch (FCEB) agencies patch the vulnerability by no later than October 15, 2024, in accordance with Binding Operational Directive (BOD) 22-01, while private organizations worldwide are strongly advised to prioritize securing their systems against this flaw. Ivanti has been working on enhancing its internal security measures and disclosure processes following repeated attacks on its product lines in recent months. CTIX analysts urge any administrators impacted by this flaw to ensure that their systems are as hardened as possible to prevent exploitation.
The semi-weekly Ankura Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence pertaining to current or emerging cyber events. The preceding is a collection of cyber threat intelligence leads assembled over the past few days and typically includes high-level intelligence pertaining to recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to reach out to the CTIX Team (ctix@ankura.com) if additional context is needed.
© Copyright 2024. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.
