Ransomware/Malware Activity
Helldown Ransomware Branches into VMware and Linux Systems
A relatively new ransomware group – Helldown – has been expanding its ransomware capabilities to target VMware ESXi environments and Linux systems. The Helldown ransomware strain was first identified by researchers in August 2024, targeting sectors including IT services, telecommunications, manufacturing, and healthcare. The group has attacked over thirty companies since it arrived on the scene just a few months ago. Helldown has been observed exploiting vulnerabilities in Zyxel firewall appliances to initially breach networks, stealing credentials and creating SSL VPN tunnels to maintain access. The Windows variant of the ransomware deletes shadow copies and terminates processes prior to encrypting files and self-destructing. The ransomware appears to be a variant of the leaked LockBit 3.0 ransomware, and its artifacts share similarities with ransomware group DarkRace or DoNex. Recently, the group has been observed deploying a new Linux version of its ransomware which appears to still be under development. The Linux version lacks obfuscation and anti-debugging mechanisms. Cybersecurity researchers have analyzed one such variant and noted that the ransomware does not appear to have a mechanism for network communication to share a secret or public key, raising the question of how Helldown would be able to provide a decryptor for the ransomware. The group appears to be expanding its capabilities to target virtualized infrastructures, an increasingly common and popular target for ransomware attacks. CTIX analysts will continue to report on new and emerging forms of malware and associated campaigns.
Threat Actor Activity
Threat Actors are Using a New Ghost Tap Technique to Steal Funds, Exploiting NFCGate
Cybercriminals have introduced a sophisticated new tactic known as "Ghost Tap," leveraging near-field communication (NFC) technology to facilitate large-scale fraudulent transactions. This method involves using stolen credit card information linked to mobile payment services such as Google Pay or Apple Pay to execute global transactions, often without the cardholder's physical presence. The scheme begins with tricking victims into downloading malicious banking malware, allowing attackers to capture sensitive financial credentials. Once they have the card details, the criminals link them to a mobile payment service and use a tool called NFCGate to relay tap-to-pay information to a mule, who then conducts purchases at a point-of-sale terminal. Ghost Tap exploits NFC technology by establishing a relay system that enables anonymous and scalable cash-outs across multiple locations. The transactions mimic legitimate activity, making them difficult to detect with traditional anti-fraud measures. This anonymity and ability to quickly scale pose significant challenges for financial institutions and retailers attempting to combat such fraud. The advancement of communication networks and the absence of effective time-based detection mechanisms on ATM and point-of-sale (POS) terminals have further enabled the execution of Ghost Tap attacks.
Vulnerabilities
Apple Patches Actively-Exploited Critical Zero-Day Vulnerabilities
Apple has issued critical emergency updates across its platforms, including iOS, iPadOS, macOS, visionOS, and Safari, to address two (2) actively exploited zero-day vulnerabilities. The first flaw, tracked as CVE-2024-44308, is a JavaScriptCore vulnerability enabling remote code execution (RCE) via maliciously crafted web content. The second vulnerability, tracked as CVE-2024-44309, is a WebKit issue flaw allowing cross-site scripting (XSS) attacks. These Vulnerabilities, identified by Clément Lecigne and Benoît Sevens of Google's Threat Analysis Group, were likely exploited in highly targeted spyware attacks, specifically on Intel-based Mac systems. Apple resolved the issues with improved checks and state management, providing updates in macOS Sequoia 15.1.1, iOS 18.1.1 and 17.7.2, iPadOS 18.1.1 and 17.7.2, visionOS 2.1.1, and Safari 18.1.1. While Apple has not disclosed details on the exploitation, it has urged users to update promptly to safeguard against potential threats. With these patches, Apple has addressed six (6) zero-day vulnerabilities in 2024, marking a significant improvement compared to the twenty (20) fixed in 2023. CTIX analysts urge all readers to ensure their Apple devices are up-to-date to prevent future exploitation.
- The Hacker News: Apple Zero-Day Vulnerabilities Article
- Bleeping Computer: Apple Zero-Day Vulnerabilities Article
The semi-weekly Ankura Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence about current or emerging cyber events. The preceding is a collection of cyber threat intelligence leads assembled over the past few days and typically includes high-level intelligence about recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to contact the CTIX Team (ctix@ankura.com) if you need more context.
© Copyright 2024. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice
