Ransomware/Malware Activity
SteelFox Infostealer and CryptoMiner Delivered via Cracked Software
Researchers have identified a new malicious malware bundle developed for Windows machines that drops both infostealing and cryptomining malware on victim devices. Active since at least February 2023 but just recently discovered, SteelFox is a malware dropper that uses a “bring your own vulnerable driver” technique to establish SYSTEM privileges on the victim Windows machine. SteelFox is delivered via cracked software such as Foxit PDF Editor, JetBrains, and AutoCAD. The software download does indeed contain the cracked version of the software, but it also includes the SteelFox malware. The admin access required to install the software is abused to create a service that runs a version of WinRing0.sys with two known vulnerabilities that are exploited to give the attacker NT\SYSTEM privileges. This driver is also a component of XMRig miner which is used by the attacker for cryptojacking, connecting to a mining pool with hardcoded credentials. The SteelFox malware uses SSL pinning and TLS v1.3 to establish a command-and-control connection. SteelFox is capable of harvesting and exfiltrating data from a wide variety of web browsers to access stored information such as cookies, credit cards, location, and search history. To date, researchers have identified compromised systems primarily in countries including Brazil, China, Russia, and Mexico. CTIX analysts advise organizations and individuals to refrain from downloading software through illegitimate channels. CTIX analysis will continue to report on new and emerging forms of malware and associated campaigns.
Threat Actor Activity
Suspect Behind Snowflake Hack Arrested in Canada
Canadian authorities have arrested Alexander "Connor" Moucka, a suspect linked to a series of major data breaches involving the cloud storage company Snowflake. Known by aliases such as "Waifu" and "Judische," Moucka was apprehended on October 30, 2024, following a request from the United States. The arrest is tied to allegations of Moucka's involvement in hacking over one hundred sixty-five (165) organizations, including significant corporations like AT&T, Ticketmaster, and Neiman Marcus, by exploiting stolen customer credentials. These breaches, which began in April 2024, have compromised the data of hundreds of millions, including the call logs of over a hundred million AT&T customers and personal information of five hundred sixty million Ticketmaster users. The joint investigation by Snowflake, Mandiant, and CrowdStrike revealed that the breaches were facilitated by the lack of multi-factor authentication (MFA) on affected Snowflake accounts. In response, Snowflake has since mandated MFA for new accounts and required stronger password protocols. The hacker group behind these attacks, identified as UNC5537, is believed to be financially motivated, with members based in North America and an affiliate in Turkey. This group reportedly used infostealer malware to obtain initial access and targeted companies by threatening to sell stolen data unless ransoms were paid. In one instance, AT&T allegedly paid $370,000 to prevent the sale of its compromised data. Moucka's arrest is part of a broader effort to address cybercrime linked to a network known as the Com, which is involved in both digital and physical crimes. He is also suspected of collaborating with another hacker, John Erin Binns, who was detained in Turkey earlier in 2024 for his involvement in a previous breach of T-Mobile.
- Bleeping Computer: Snowflake Hacker Article
- The Record: Snowflake Hacker Article
- The Hacker News: Snowflake Hacker Article
Vulnerabilities
Cisco Patches Critical URWB Vulnerability in Unified Industrial Wireless Systems
Cisco has addressed a critical vulnerability in its Unified Industrial Wireless Software, which allows unauthenticated, remote attackers to execute commands with root privileges on Ultra-Reliable Wireless Backhaul (URWB) access points. This flaw, tracked as CVE-2024-20418 (CVSS score of 10/10), caused by improper input validation in the software's web-based management interface, enables low-complexity command injection attacks. Affected devices include Catalyst IW9165D, IW9165E, and IW9167E models when operating in URWB mode. Discovered during internal security testing, the vulnerability has been patched in software version 17.15.1, with Cisco urging users to update from earlier versions. While no active exploitation or public exploit code has been reported, Cisco emphasizes the importance of prompt patching to mitigate potential risks. This fix follows recent efforts to address similar command injection vulnerabilities exploited in large-scale attacks, highlighting the ongoing need for robust security practices in industrial networks. CTIX analysts strongly urge any affected users to download and install the latest security patch immediately to prevent exploitation.
The semi-weekly Ankura Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence about current or emerging cyber events. The preceding is a collection of cyber threat intelligence leads assembled over the past few days and typically includes high-level intelligence about recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to contact the CTIX Team (ctix@ankura.com) if you need more context.
© Copyright 2024. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice
