Ransomware/Malware Activity
NotLockBit MacOS Ransomware Samples Indicate Emerging Threat
Researchers at SentinelOne and Trend Micro have released analysis on a new ransomware family targeting MacOS from samples uploaded to VirusTotal. As of writing, there has not been a confirmed successful attack leveraging this ransomware in the wild, however the evolution of the ransomware as demonstrated in multiple samples posted in January and May of this year suggests it is in active development. The malware family has been dubbed “NotLockBit”, as the final stage of the ransomware updates the wallpaper of the victim machine to a LockBit2.0 banner, however there are no indicators in the malware that it is affiliated with LockBit ransomware, and LockBit2.0 has already been superseded by version 3.0. The malware is written in Go and is distributed as a x86_64 binary, compatible with Intel or Apple silicon Macs with Rosetta emulation software installed. While the malware is currently in a Proof of Concept (POC) stage, it already includes infrastructure for exfiltrating and storing victim data, using hard-coded AWS credentials to exfiltrate data to attacker-controlled AWS S3 buckets. The ransomware uses RSA asymmetric key encryption, using the public key to encrypt a random master key generated for each file used for its subsequent encryption. Encrypted files are updated with a “.abcd” file extension, and a README.txt file is left in each compromised folder. It is important to note that victims would still need to allow the malware to run by accepting warnings raised by Apple’s TCC protections. However, TCC bypassing techniques do exist, and it’s likely that a future version of the malware would include a feature to bypass this. The discovery of these malware samples signifies an emerging threat of ransomware against MacOS devices. CTIX analysts will continue to report on new and emerging forms of malware and associated campaigns.
- Security Week: NotLockBit Article
- SC World: NotLockBit Article
- SentinelOne: NotLockBit Blog
- Trend Micro: Fake LockBit Research
Threat Actor Activity
Threat Actors are Using a New Method to Jailbreak AI Models for Malicious Assistance
Researchers have uncovered a new adversarial technique coined Deceptive Delight, designed to jailbreak large language models (LLMs) by subtly embedding undesirable instructions within benign conversations. This method, with a notable attack success rate of 64.6%, gradually manipulates the contextual meaning of the conversation to bypass safety guardrails and generate harmful content. By exploiting the limited attention span of LLMs, Deceptive Delight tricks models into overlooking malicious input when intertwined with innocent content. Unlike traditional multi-turn jailbreak methods, Deceptive Delight capitalizes on context manipulation to elicit unsafe responses, while techniques like Context Fusion Attack (CFA) use scenario construction to disguise harmful intent. Testing has revealed that violence-related topics achieved the highest success rates, with conversation turns increasing the Harmfulness and Quality Scores significantly. To counteract these risks, researchers recommend implementing robust content filtering, enhancing prompt engineering, and clearly defining acceptable parameters for inputs and outputs. This research highlights the usefulness of multi-layered defense strategies to mitigate jailbreak risks, acknowledging that AI models may never be entirely immune to such vulnerabilities. CTIX Analysts have highlighted the risks of threat actor-leveraged AI before, which can be found here: Ankura: Dark AI One-Pager.
Vulnerabilities
Critical Fortinet FortiManager Vulnerability Exploited as a Zero-Day
Fortinet recently disclosed a critical vulnerability in its FortiManager API, known as "FortiJump", which has been actively exploited in zero-day attacks. The flaw, tracked as CVE-2024-47575 and with a CVSS score of 9.8/10, stems from the FortiGate to FortiManager (FGFM) protocol, allowing remote attackers to execute arbitrary code by bypassing authentication via maliciously crafted requests. The vulnerability affects FortiManager versions 6.x and 7.x, FortiManager Cloud, and certain older FortiAnalyzer models. Exploited attacks primarily aim to steal sensitive configuration data, including IP addresses, credentials, and configurations of managed devices, although no malware or backdoors have been found. Fortinet has released patches and provided workarounds for customers unable to update immediately. Google-owned Mandiant attributed the attacks to a new threat cluster known as UNC5820, which has targeted at least fifty (50) FortiManager devices across industries since June 2024. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added this flaw to its Known Exploited Vulnerabilities (KEV) catalog, mandating that all Federal Civilian Executive Branch (FCEB) agencies patch it by no later than November 13, 2024. Fortinet’s handling of the disclosure, including privately notifying customers before public disclosure, has sparked frustration among users, some of whom reported breaches before the official warning. While Fortinet has taken steps to address the issue, customers remain concerned about the company's transparency in managing such vulnerabilities. CTIX analysts recommend that all administrators ensure that they are defending their infrastructure from exploitation by patching or enacting the workarounds.
The semi-weekly Ankura Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence about current or emerging cyber events. The preceding is a collection of cyber threat intelligence leads assembled over the past few days and typically includes high-level intelligence about recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to contact the CTIX Team (ctix@ankura.com) if you need more context.
© Copyright 2024. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice