Ankura CTIX FLASH Update - October 22, 2024

Ransomware/Malware Activity

ESET Distributor Breached, Data Wipers Sent to Israeli Organizations

Cybercriminals have allegedly breached Comsecure, an Israeli distributor of ESET’s software and cybersecurity products, to send phishing emails to Israeli organizations containing data wiping malware disguised as cybersecurity software. The phishing campaign began on October 8^th, when emails from the legitimate eset[.]co[.]il domain were sent to Israel-based customers from ESET’s “Advanced Threat Defense Team”. The phishing emails warned that the recipient had recently been targeted by government-backed attackers and offers the recipient a link to download an advanced cybersecurity tool: “ESET Unleashed”. The link directs users to the legitimate eset[.]co[.]il domain which hosts a ZIP archive containing four DLL files digitally signed by ESET’s code signing certificate along with an executable “Setup.exe” that is not signed. “Setup.exe” is the data wiper, designed to delete all the files off of a victim’s computer while corrupting the partition table to make data recovery difficult. ESET released a statement on October 18^th, 2024, noting that the company was “…aware of a security incident which affected our partner company in Israel last week”. ESET’s announcement states that a “limited malicious campaign was blocked within ten minutes”, and that their customers are secure. As of the time of this writing, the attack has not yet been attributed to a specific threat actor. CTIX analysts will continue to report on new and emerging forms of malware and associated campaigns. 

• Bleeping Computer Article: ESET Partner Breached
• Security Week Article: ESET Distributors Systems Abused

Threat Actor Activity

China's Spamouflage Campaign Targeting U.S. Senator Marco Rubio

The Chinese disinformation campaign known as Spamouflage has honed its focus on U.S. Senator Marco Rubio, employing new tactics to test the effectiveness of its influence operations. Researchers from Clemson University have observed Spamouflage targeting Rubio's X account, marking a shift from their 2022 strategy, which involved flooding social media with supportive but poorly crafted content. This historical approach aims to drown out genuine messages and create noise that makes it difficult for real discourse to be heard - to sweep an unflattering topic under the rug. In their latest efforts, Spamouflage has shifted to using more authentic-looking hijacked accounts to spread anti-Rubio content across platforms such as X, Reddit, and Medium. The content is notably well-written, potentially leveraging AI or large language models (LLMs) to create material. This evolution in tactics away from boosting narratives suggests an alignment with Russian disinformation strategies, focusing on creating divisions and highlighting U.S. domestic issues. Senator Rubio, a known critic of China, has acknowledged the increasing aggression of China's information operations, stressing the importance of addressing these efforts. Researchers warn against underestimating China's sophistication in conducting influence campaigns, emphasizing the nuanced and complex nature of their operations.

• The Record: Spamouflage Article

Vulnerabilities

Critical Vulnerabilities in Multiple Major End-to-End Encrypted Cloud Storage Platforms Impact Tens of Millions of People

Cybersecurity researchers from ETH Zurich uncovered significant cryptographic vulnerabilities in several major end-to-end encrypted (E2EE) cloud storage platforms, including Sync, pCloud, Icedrive, Seafile, and Tresorit, collectively used by over 22 million people. These flaws allow attackers to inject, tamper with, or access user data by exploiting a compromised server. The vulnerabilities include unauthenticated key material, encryption protocol downgrades, and metadata manipulation, which compromise file confidentiality, integrity, and user security. Specific weaknesses, such as Sync's exposure of shared passwords and key injection issues, pCloud's encryption tampering, and Icedrive's unauthenticated CBC encryption, make these systems vulnerable to attackers, including nation-state actors and skilled hackers. Despite these concerns, Tresorit fared relatively better, with issues confined to metadata and public key handling, though improvements are planned for 2025. While Icedrive declined to address the identified flaws, other providers have begun responding, with some issues already patched. This research underscores the gap between the security claims of E2EE platforms and the real-world risks they face, highlighting the need for stronger cryptographic safeguards across the industry. CTIX analysts will continue to report on new and novel vulnerabilities to keep our readers informed about the potential threats to their data.

• The Hacker News: E2EE Cloud Vulnerabilities Article
• Bleeping Computer: E2EE Cloud Vulnerabilities Article

The semi-weekly Ankura Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence about current or emerging cyber events. The preceding is a collection of cyber threat intelligence leads assembled over the past few days and typically includes high-level intelligence about recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to contact the CTIX Team (ctix@ankura.com) if you need more context.

^{© Copyright 2024. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice}