Ransomware/Malware Activity
Storm-0501 Releases Embargo Ransomware in Cloud Environments
Researchers at Microsoft have recently warned that threat actor Storm-0501 is now targeting and deploying ransomware in hybrid cloud environments in addition to on-premise environments. Storm-0501 is a ransomware threat actor that has been active since 2021 and has been known to utilize a variety of ransomware strains in their attacks including Hive, BlackCat, LockBit, and Embargo. Embargo ransomware is a Rust-based variety and is provided to threat groups under a ransomware-as-a-service (RaaS) model. Storm-0501 has targeted healthcare, government, transportation, law enforcement, and manufacturing industries in the United States. In recent attack campaigns, the group has expanded their infiltration operations to compromise hybrid cloud environments, exfiltrating data and encrypting systems to demand ransom from victims. Storm-0501 initially gains access to victim organizations either through compromised credentials or exploitation of known vulnerabilities. Once a privileged account in Microsoft’s Entra ID (formerly Azure AD) is compromised, Storm-0501 establishes persistence by creating a new federated domain within the Microsoft Entra tenant. This is also a well-known tactic of the notorious Scatter Spider or “Octo Tempest” threat actor group. After victim data is exfiltrated, the Embargo ransomware payload is deployed using scheduled tasks or Group Policy Objects (GPOs) to encrypt files across devices. The compromise of federated identity access manager to gain access and establish persistence in cloud environments is becoming a more popular tactic amongst threat actors. In Entra ID environments, it is particularly important that organizations monitor authentication and activity of Microsoft Entra Connect Sync accounts, which are used to synchronize data between on-premise and cloud-based Active Directory. CTIX analysts will continue to report on new and emerging forms of malware and associated campaigns.
Threat Actor Activity
Transportation and Logistics Sectors Targeted by Info-Stealing Malware
A new phishing campaign targeting transportation and logistics companies in North America has been identified by cybersecurity researchers. This campaign, active since May 2024, uses compromised legitimate email accounts from the transportation sector to distribute a variety of malware strains, including Lumma Stealer, StealC, DanaBot, and Arechclient2. The threat actors inject malicious content into existing email conversations, making their lures more convincing and difficult to detect. Researchers noted that at least fifteen (15) email accounts have been compromised, although the exact method of infiltration remains unclear. In August 2024, the attackers shifted tactics, employing new infrastructure, delivery methods, and additional payloads. One of the techniques involves sending messages with internet shortcut (.URL) attachments or Google Drive URLs that lead to .URL files. When launched, these files use Server Message Block (SMB) to fetch the next-stage malware payload from a remote location. Additionally, some variants of the campaign have used a technique called ClickFix, which tricks victims into downloading the DanaBot malware by urging them to copy and paste a Base64-encoded PowerShell script into their terminal. The attackers have impersonated software solutions like Samsara, AMB Logistic, and Astra TMS, which are specific to transport and fleet management, indicating that they are likely conducting thorough research on their targets before launching their attacks. The emergence of this campaign comes amidst a rise in various stealer malware strains and follows the discovery of a new version of the RomCom remote access trojan (RAT), called SnipBot. Distributed via phishing emails, SnipBot allows attackers to execute commands, download additional modules, and manipulate files on the victim's system. Overall, this campaign highlights the evolving tactics of financially motivated threat actors who tailor their lures to specific industries, leveraging compromised email accounts to increase the authenticity of their attacks. CTIX analysts recommend heightened cybersecurity vigilance from organizations in the transportation and logistics sectors.
Vulnerabilities
NVIDIA Container Toolkit Vulnerability Allows for a Full System Takeover
A critical vulnerability in the NVIDIA Container Toolkit allows attackers to escape containers and gain full control over the host system, posing a significant risk to AI applications in cloud and on-premise environments that rely on GPU resources. The flaw, tracked as CVE-2024-0132 (CVSS score 9/10), is a Time-of-Check Time-of-Use (TOCTOU) vulnerability affecting Toolkit versions up to 1.16.1 and GPU Operator up to 24.6.1, and occurs due to inadequate isolation between the containerized GPU and the host system. Attackers can exploit this vulnerability via maliciously crafted container images, granting them access to the host’s file system and enabling command execution through writable Unix sockets like "docker.sock" and "containerd.sock", leading to code execution, data exfiltration, and potential full system takeover. According to Wiz Research, 33-35% of cloud environments using the vulnerable Toolkit are at risk, highlighting the severity of the issue. The vulnerability impacts multi-tenant environments, potentially exposing sensitive data and secrets from other applications sharing the same node or cluster. NVIDIA released patches in version 1.16.2 of the Container Toolkit and GPU Operator 24.6.2 on September 26, 2024, following Wiz’s report on September 1, 2024. CTIX analysts strongly advise users to upgrade, as technical details remain withheld to prevent exploitation while organizations implement mitigations.
- Security Affairs: CVE-2024-0132 Article
- The Hacker News: CVE-2024-0132 Article
- Bleeping Computer: CVE-2024-0132 Article
The semi-weekly Ankura Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence pertaining to current or emerging cyber events. The preceding is a collection of cyber threat intelligence leads assembled over the past few days and typically includes high-level intelligence pertaining to recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to reach out to the CTIX Team (ctix@ankura.com) if additional context is needed.
© Copyright 2024. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.
