Malware Activity
New IOCONTROL Malware Targets IOT Devices and OT/SCADA Systems
Cybersecurity researchers have identified a new form of malware linked to an Iranian threat actor that targets IOT and OT/SCADA systems used by critical infrastructure in Israel and the United States. Dubbed IOCONTROL, the malware targets devices including routers, programmable logic controllers (PLCs), and fuel management systems among others. IOCONTROL is allegedly linked to CyberAv3ngers, an Iranian hacking group known for attacking industrial control systems. IOCONTROL has been found in Gasboy and Orpak fuel management system infections, although it is unknown how the malware was planted on the systems. The malware is stored in the “/usr/bin/” directory as “iocontrol” and uses a script “S93InitSystemd.sh” to maintain persistence on the infected device. IOCONTROL uses MQTT protocol for command-and-control communications (C2) and resolves C2 domains via DNS over HTTPS. The malware is capable of reporting system details, running OS commands, self-deleting, and running port scans. Once installed in a fuel management system, IOCONTROL could control pumps or payment terminals, leading to disruption of services and potentially data theft. Researchers note that the malware’s modular nature makes it capable of compromising many different types of devices. Threat actors claimed to have compromised 200 gas stations in Israel and the U.S. on Telegram last year and researchers report that new campaigns have emerged this year. CTIX analysts will continue to report on new and emerging forms of malware and associated campaigns.
Threat Actor Activity
Europol Operation Shuts Down Twenty-Seven DDoS Sites Ahead of Christmas Holiday
An international law enforcement initiative coordinated by Europol and involving fifteen (15) countries has successfully dismantled twenty-seven (27) DDoS-for-hire services, known as "booters" or "stressers." These platforms, which utilize botnets on compromised devices to launch distributed denial-of-service (DDoS) attacks, have been taken offline. The operation, codenamed Operation PowerOFF, also resulted in the arrest of three (3) administrators in France and Germany and identified 300 users of these services. The crackdown targeted websites including zdstresser[.]net, orbitalstress[.]net, and starkstresser[.]net, which enabled cybercriminals and hacktivists to flood online services with junk traffic, rendering them inaccessible. This action is part of a broader effort to combat cybercrime, especially during the peak holiday season when such attacks can cause significant disruption to online shopping and business operations. The Dutch Politie also prosecuted four (4) individuals for conducting hundreds of DDoS attacks. Meanwhile, the U.S. Department of Justice has indicted two (2) individuals associated with the booter services. Europol noted that motivations for these attacks range from economic sabotage and financial gain to ideological reasons. The operation's timing ahead of the Christmas period was strategic, given the holiday season's history as a peak period for disruptive DDoS attacks. A surge of nearly 6 million DDoS attacks were reported in the third quarter of 2024—50% more than the same period last year. The banking and financial services sector was the most targeted, exacerbated by global geopolitical tensions and the use of powerful botnets.
- The Hacker News: Operation PowerOFF Article
- The Record: Operation PowerOFF Article
- Bleeping Computer: Operation PowerOFF Article
Vulnerabilities
WordPress Plugin "Hunk Companion" Vulnerability Exploited to Covertly Install Malicious Plugins
A critical vulnerability in the Hunk Companion plugin for WordPress is being actively exploited by attackers to install and activate outdated or vulnerable plugins, exposing websites to severe threats such as remote code execution (RCE), SQL Injection, cross-site scripting (XSS), and the creation of backdoor admin accounts. Affecting versions prior to 1.9.0, this flaw, tracked as CVE-2024-11972 (CVSS 9.8/10), allows unauthenticated POST requests to bypass permission checks and install plugins, including the abandoned WP Query Console plugin, which contains an unpatched zero-day RCE flaw (CVE-2024-50498, CVSS 10/10). Threat actors use this exploit to execute malicious PHP code, tamper with site files, and maintain persistent access through PHP droppers. WPScan discovered the vulnerability while investigating a WordPress site infection and noted that the flaw is a patch bypass for a similar vulnerability fixed inadequately in version 1.8.5. Although a security update was released in version 1.9.0, over 8,000 sites remain unprotected, highlighting the urgency for users to update immediately. This chain of exploitation underscores the critical importance of securing all WordPress components, especially third-party plugins, which are frequently targeted as entry points by attackers. CTIX analysts recommend that all affected site administrators who have yet to install the patch do so immediately to prevent future exploitation.
© Copyright 2024. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice
