Ransomware/Malware Activity
Interlock Ransomware Targets FreeBSD Servers
A new Ransomware operation named “Interlock” has been attacking organizations worldwide, publishing data allegedly stolen from six (6) organizations since September 2024. Researchers have discovered Interlock variants built to encrypt FreeBSD servers, an operating system that is not usually targeted in ransomware operations. Experts speculate that Interlock targets FreeBSD because it is widely utilized in servers and critical infrastructure. Interlock engages in double extortion attacks: both encrypting critical systems and demanding ransom to suppress publication of stolen data. Interlock targets Windows as well as FreeBSD operating systems, clearing Windows event logs and self-destructing after encrypting files. Files encrypted by the ransomware are appended with a “.interlock” extension and a ransom note named “!___README___!.txt” is left in directories instructing victims on how to access a Tor site for payment negotiations. Interlock’s operations are relatively new, and there is still much to uncover about the threat actor’s tactics, techniques, and procedures. CTIX analysts will continue to report on new and emerging form of malware and associated campaigns.
Threat Actor Activity
FBI Tracking Down Threat Actors Exploiting Edge Networking Devices
The FBI has sought public assistance in identifying individuals behind a series of intrusions involving compromised edge devices in both public and private sectors. These intrusions have been linked to Chengdu-based researchers and their collaboration with Chinese government agencies, utilizing vulnerabilities in Sophos products, including CVE-2020-12271, to install malware like Asnarök. The FBI's request follows detailed reports from Sophos, highlighting years-long surveillance and espionage campaigns targeting critical infrastructure in South and Southeast Asia, with some incidents affecting Europe and the United States. Chinese nation-state groups such as Volt Typhoon have targeted edge devices like routers and firewalls, exploiting them as operational relay boxes (ORBs) for obfuscating activities and conducting espionage. These devices are attractive targets due to their power, constant connectivity, and role in network infrastructure, making them ideal for both direct espionage and indirect attacks. The series of reports Sophos released were labelled "Pacific Rim", detailing its ongoing conflict with Chinese threat actors over the past five (5) years. As stated in the report, these actors have increasingly targeted networking devices worldwide, including those from Sophos, exploiting vulnerabilities to install custom malware for network monitoring, credential theft, and proxy server operations. The attacks have impacted products from several well-known manufacturers, such as Fortinet, Cisco, and Sophos, and have been attributed to groups like Volt Typhoon, APT31, and APT41/Winnti. Sophos began confronting these threats in 2018 when its subsidiary, Cyberoam, was targeted, marking the start of focused attacks on network devices. These actors have advanced their techniques to include memory-only malware and sophisticated persistence methods, using compromised devices as proxy networks to evade detection. Sophos has countered by deploying custom implants on known compromised devices, gathering intelligence on the threat actors, including the deployment of a UEFI bootkit.
Vulnerabilities
Google AI Tool Finds Critical Vulnerability in SQLite that was Missed by Fuzzing
Google's experimental AI framework, Big Sleep (formerly Project Naptime) and a collaborative effort between Google Project Zero and DeepMind has achieved a breakthrough by uncovering a previously unknown, exploitable vulnerability in the widely-used SQLite open-source database. This zero-day memory safety flaw, which results from a stack buffer underflow that could lead to crashes or arbitrary code execution, was found by analyzing recent code commits before it reached an official release, ensuring user safety. Traditional fuzzing, which tests software by feeding random or invalid data to trigger errors, failed to detect the issue, underscoring Big Sleep’s potential as an advanced cybersecurity tool. Big Sleep leverages a large language model (LLM) to simulate human-like reasoning and code comprehension, allowing it to navigate codebases, run sandboxed Python scripts, and debug vulnerabilities with remarkable efficiency. This AI-driven approach specifically aids in identifying vulnerability variants (modifications of previously known flaws) which account for a significant portion of zero-day exploits but often evade traditional tools. Despite the success, Google notes that results are experimental and suggests that targeted fuzzers still play a critical role in vulnerability research. However, this AI breakthrough highlights the potential of LLMs to help defenders stay ahead of attackers by identifying and fixing vulnerabilities before they can be exploited, representing a promising step forward in proactive cybersecurity. CTIX analysts will continue to report on critical vulnerabilities and the efforts taken to defend against their exploitation.
- Security Week: Google AI Vulnerability Article
- The Record: Google AI Vulnerability Article
- The Hacker News: Google AI Vulnerability Article
The semi-weekly Ankura Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence about current or emerging cyber events. The preceding is a collection of cyber threat intelligence leads assembled over the past few days and typically includes high-level intelligence about recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to contact the CTIX Team (ctix@ankura.com) if you need more context.
© Copyright 2024. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice