Malware Activity
Bitdefender Releases Decryptor for ShrinkLocker Ransomware
Bitdefender has delighted ShrinkLocker Ransomware victims by releasing a decryptor for the ransomware variant this week. ShrinkLocker ransomware leverages Windows’ built-in BitLocker drive encryption instead of custom encryption implementations commonly used by ransomware. In a ShrinkLocker attack, the ransomware first checks whether BitLocker is enabled on the victim machine and installs BitLocker if not already present. The ransomware generates a random password for the BitLocker encryption using network traffic and memory usage data. Importantly, the ransomware also deletes or reconfigures all BitLocker protectors to hinder recovery of the encryption keys. While lacking the sophistication of most ransomware strains, ShrinkLocker has successfully attacked corporate systems and has targeted organizations in the government, healthcare, and manufacturing sectors in Mexico, Indonesia and Jordan. Bitdefender has identified a way to reverse the sequence ShrinkLocker performs to delete and reconfigure the BitLocker protectors, effectively making it possible to reverse the encryption process and recover encrypted drives. Bitdefender has noted that the decryptor works on Windows 10, 11, and recent Server versions and is most effective when used shortly after the initial attack. CTIX analysts will continue to report on new and emerging forms of malware and associated campaigns.
Threat Actor Activity
Threat Actor Publishes Troves of Data Allegedly Stolen Through the MOVEit Vulnerability
In recent cybersecurity developments, Delta and Amazon have confirmed breaches involving employee data, attributed to vulnerabilities in the MOVEit file transfer tool exploited by cybercriminals. The threat actor, known as "Nam3L3ss," has published stolen data, including employee names, contact details, and office locations on a dark web forum, impacting multiple organizations alongside Delta and Amazon. Both companies clarified that the breaches occurred through a third-party vendor and not from their own systems, nor did it involve sensitive personal information like Social Security numbers or financial data. The unnamed vendor has since patched the vulnerability. The MOVEit attacks, initiated by the Clop ransomware gang, began on May 27, 2023, exploiting a zero-day flaw in the MOVEit Transfer secure file transfer platform. This platform is widely used in enterprise settings for secure file transfers. The attacks have led to the exposure of approximately 96 million records from 2,773 organizations, including government agencies and Fortune 500 companies. The Clop gang has reportedly earned between $75 million and $100 million from ransom payments during this campaign. Nam3L3ss, who claims not to be a hacker but rather someone who acquires data from various insecure sources, has leaked data from twenty-five (25) major organizations, including Lenovo, HP, TIAA, Schwab, HSBC, McDonald's, and Metlife. The individual expressed motivations of anger towards companies that fail to protect user information and cited a controversy involving a cybersecurity researcher in Columbus, Ohio, as a catalyst for their actions. Security experts have verified the legitimacy of the leaked data, which poses significant risks for phishing, identity theft, and social engineering attacks. CTIX analysts recommend companies affected by the MOVEit attack increase their security measures to help prevent further incidents and be vigilant of the risks posed by data leaks like these.
Vulnerabilities
Russian Hackers Exploit Critical Windows Zero-Day NTLM Flaw to Deploy RAT Malware Against Ukrainian Targets
A recently patched Windows vulnerability, tracked as CVE-2024-43451, has been actively exploited as a zero-day by a suspected Russia-linked threat group, UAC-0194, in cyberattacks targeting Ukrainian entities. Discovered by ClearSky in June 2024, the vulnerability is an NTLM hash disclosure spoofing flaw that allows attackers to steal NTLMv2 hashes with minimal user interaction, such as right-clicking or deleting a malicious URL file. The attack chain begins with phishing emails originating from compromised Ukrainian government servers, directing victims to download ZIP files containing a URL file. Interaction with the file triggers the exploit, connecting to an attacker-controlled command-and-control (C2) server to download additional malware, including the open-source SparkRAT, enabling remote system control. The stolen NTLMv2 hashes can facilitate pass-the-hash attacks or be cracked to reveal plaintext passwords. Microsoft patched the vulnerability in November 2024, confirming its impact on all supported Windows versions. CERT-UA and the U.S. Cybersecurity and Infrastructure Security (CISA) agencey have also issued warnings, emphasizing the critical risk posed by this flaw. The flaw has been added to CISA's Known Exploited Vulnerabilities (KEV) catalog, mandating that federal agencies secure their systems by no later than December 3, 2024. CTIX analysts
- Security Week: CVE-2024-43451 Article
- The Hacker News: CVE-2024-43451 Article
- Bleeping Computer: CVE-2024-43451 Article
The semi-weekly Ankura Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence about current or emerging cyber events. The preceding is a collection of cyber threat intelligence leads assembled over the past few days and typically includes high-level intelligence about recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to contact the CTIX Team (ctix@ankura.com) if you need more context.
© Copyright 2024. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice
