Ransomware/Malware Activity
FakeCall Android Malware Routes Bank Calls to Attackers
Cybersecurity researchers are tracking a new variant of an Android malware dubbed “FakeCall”. The malware is designed to intercept phone calls made to the victim’s bank and route the call to an attacker-owned phone number. Built for Android and deployed via an APK (Android Package Kit), the malware reroutes calls by setting itself up as the default call handler during installation. FakeCall displays a convincing UI that mimics Android’s call interface, displaying the bank’s legitimate phone number while the victim is actually on a call with the attacker. FakeCall is delivered via social engineering attacks, and the attacker’s goal is to obtain sensitive banking information from the victim. The FakeCall trojan was first seen in 2022 and is now impersonating over twenty (20) financial organizations. In addition to hijacking calls, the latest versions of FakeCall include a new phone listener service which allows the attacker to issue commands to the device to get the device’s location, delete applications, record audio or video, and edit contacts. New commands also allow the attacker to live stream the device’s screen content, take screenshots, unlock the device, and delete and upload images. CTIX analysts recommend that individuals refrain from installing applications via APKs and opt for the more secure Google Play store. CTIX analysts will continue to report on new and emerging forms of malware and associated campaigns.
Threat Actor Activity
North Korean-linked Hackers Conduct Joint Cyber Attack with Play Ransomware Group
A recent investigation by cybersecurity specialists revealed a collaboration between North Korean state-sponsored hackers, known as Andariel or Jumpy Pisces, and the Play ransomware group. This marks the first documented instance of such collaboration between a North Korean state-sponsored group and an underground ransomware operation, highlighting North Korea's increasing involvement in financially motivated cybercrime. Andariel, linked to North Korea's Reconnaissance General Bureau (RGB), has historically engaged in cyber espionage and ransomware operations dating back to 2009, previously deploying strains like SHATTEREDGLASS and Maui. The investigation into the specific ransomware attack highlighting this collaborative effort discovered Andariel's initial access to a network in May 2024, using a compromised user account. Over several months, they conducted lateral movement, persistence activities, and credential harvesting, using tools like Sliver C2 framework and custom malware DTrack. This groundwork by Andariel later led to the deployment of Play ransomware in September 2024. The attack involved credential harvesting, privilege escalation, disabling endpoint detection systems, and typical pre-ransomware activities. Researchers suggest that the role of North Korea’s Andariel might be as an initial access broker (IAB), facilitating and selling network access for the finically motivated Play ransomware operators. However, it's uncertain whether they act as Play affiliates or merely sell access to compromised networks. The collaboration signifies a shift in North Korean tactics, aligning with broader trends where nation-states increasingly engage or assist in ransomware for financial gain. This trend of state-sponsored involvement in ransomware extends beyond North Korea. Iranian and Russian actors have similarly leveraged ransomware for financial benefits, often acting behind the scenes to evade international sanctions. Such tactics complicate attribution and enforcement efforts, as these actors frequently rebrand or work with different ransomware groups to bypass sanctions and legal repercussions. The implications of these developments are significant, indicating a potential increase in ransomware attacks with state-sponsored backing, increasing in finical motivation rather than espionage or disruption-focused campaigns.
- Bleeping Computer: North Korean x Play Ransomware Article
- The Hacker News: North Korean x Play Ransomware Article
- The Record: North Korean x Play Ransomware Article
Vulnerabilities
Bug Bounty Program "huntr" Uncovers Several Critical Vulnerabilities in Open-Source AI and ML Models
Over thirty-four (34) security vulnerabilities, including multiple critical vulnerabilities, have been identified in open-source AI and ML tools through Protect AI’s "huntr" bug bounty program, affecting widely-used toolkits like Lunary, Chuanhu Chat, and LocalAI. Two (2) of the most severe vulnerabilities in Lunary (CVE-2024-7474 and CVE-2024-7475), each with a CVSS score of 9.1/10, involve insecure direct object reference and improper access control, allowing attackers to view, delete user records, or manipulate authentication processes by altering the SAML configuration. In Chuanhu Chat, a GUI for ChatGPT, a path traversal flaw (CVE-2024-5982) allows remote code execution (RCE), arbitrary directory creation, and data leakage from CSV files. LocalAI, a platform for locally hosted AI models, is impacted by a high-severity RCE bug (CVE-2024-6983), enabling malicious configuration uploads, and a timing attack vulnerability (CVE-2024-7010), allowing attackers to guess API keys by measuring server response times. Protect AI also highlighted the vulnerabilities in these tools as significant risks in the AI model supply chain, emphasizing that open-source tools like these, downloaded thousands of times monthly, are integral to enterprise AI systems. Protect AI’s Vulnhuntr tool aids in uncovering such vulnerabilities, while updates are recommended to mitigate these security risks. These flaws have been patched, and CTIX analysts recommend any users leveraging the affected open-source AI tools update to the most secure versions to prevent exploitation.
- The Hacker News: huntr Vulnerabilities Article
- SC Media: huntr Vulnerabilities Article
- ChannelE2E: huntr Vulnerabilities Article
The semi-weekly Ankura Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence about current or emerging cyber events. The preceding is a collection of cyber threat intelligence leads assembled over the past few days and typically includes high-level intelligence about recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to contact the CTIX Team (ctix@ankura.com) if you need more context.
© Copyright 2024. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice