Ransomware/Malware Activity
TeamTNT Launches Attacks Compromising Docker for CryptoMining
Researchers have detailed a new attack campaign waged by hacking group TeamTNT that compromises Docker daemons to deploy cryptominers. TeamTNT is a notorious cryptojacking group that has targeted cloud environments for years. This recent campaign uses an attack script called Docker Gatling Gun to search the internet for exposed Docker daemons on specific ports using masscan and ZGrab. A malicious container hosted on a compromised Docker Hub account is deployed on exposed Docker daemons to infect the endpoint with Sliver malware and cryptominers. The campaign has been attributed to TeamTNT due to its characteristics, malware naming conventions, choice of tools, and familiar infrastructure. TeamTNT has been observed diversifying their income stream by renting the compromised infrastructure to other bad actors through a mining rental platform called Mining Rig Rentals. The campaign uses the Sliver malware command-and-control framework to remotely manage infected servers, a departure from the Tsunami backdoor traditionally used by the threat actor. Researchers have also noted that TeamTNT has been experimenting with adding compromised Dockers to a Docker Swarm for centralized management. CTIX analysts recommend that organizations ensure Docker instances are configured to only allow connections from authenticated clients and implement access control lists to restrict hosts accessing Docker APIs. CTIX analysts will continue to report on new and emerging forms of malware and associated campaigns.
Threat Actor Activity
Black Basta Using Microsoft Teams to Masquerade as IT Support
Known for its origins as a faction of the Conti cybercriminal group, Black Basta has been observed shifting from traditional email and phone-based attacks to leveraging Microsoft Teams, where threat actors pose as IT support to address fabricated spam issues. By creating deceptive accounts with names that mimic help desk services (like securityadminhelper.onmicrosoft[.]com, supportserviceadmin.onmicrosoft[.]com,supportadministrator.onmicrosoft[.]com, cybersecurityadmin.onmicrosoft[.]com), the attackers establish one-on-one chats with employees, aiming to trick them into installing remote access tools like AnyDesk. This access allows the attackers to install further malicious payloads, including "AntispamAccount.exe" and the notorious Cobalt Strike, to facilitate deeper network penetration and eventual ransomware deployment. Further investigations into these attacks by cybersecurity researchers revealed that the malicious actors are likely operating out of Russia, as indicated by time zone data. The use of QR codes in chats adds another layer of complexity, though their specific function remains undetermined. To counteract these threats, CTIX analysts advise organizations to restrict external communications on Microsoft Teams, permitting interactions only from trusted domains. Additionally, enabling logging, especially for chat creation events, can help detect and mitigate suspicious activities.
Vulnerabilities
Windows OS Downgrade Vulnerability Activates Flaws that Have Already Been Patched
Security researcher Alon Leviev has uncovered a critical vulnerability in Windows systems, allowing attackers to bypass Microsoft’s Driver Signature Enforcement (DSE) by downgrading critical kernel components, even on fully patched systems. This technique involves hijacking the Windows Update process to roll back secure OS components, replacing them with outdated, unpatched versions. Using a tool called "Windows Downdate," attackers can reintroduce fixed vulnerabilities, rendering the term “fully patched” meaningless. This bypass enables loading unsigned kernel drivers, paving the way for custom rootkits that can disable security controls, hide activity, and persist undetected. Leviev presented this technique, named “ItsNotASecurityBoundary,” at BlackHat and DEFCON, demonstrating how the attack manipulates components like "ci.dll" to bypass DSE and exploit root-level privileges. Although Microsoft addressed two (2) related vulnerabilities (CVE-2024-21302 and CVE-2024-38202), they have not yet fully addressed the Windows Update takeover, citing it as outside a defined security boundary. The vulnerability is further exacerbated by the ability to disable Virtualization-Based Security (VBS) if improperly configured, which otherwise protects critical assets like the secure kernel. Microsoft is developing a solution, though it requires rigorous testing for compatibility and stability across versions. Leviev's findings underscore the urgent need for defenses against downgrade attacks, as this technique bypasses traditional security boundaries, putting systems at substantial risk. To mitigate this flaw for now, users must ensure that VBS is enabled with UEFI lock and the Mandatory flag set. CTIX analysts urge administrators to follow the mitigation techniques for now and monitor for when a permanent fix is released.
- The Hacker News: Windows Downgrade Vulnerability Article
- Bleeping Computer: Windows Downgrade Vulnerability Article
The semi-weekly Ankura Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence about current or emerging cyber events. The preceding is a collection of cyber threat intelligence leads assembled over the past few days and typically includes high-level intelligence about recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to contact the CTIX Team (ctix@ankura.com) if you need more context.
© Copyright 2024. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice
