Malware Activity
Glutton PHP Backdoor Targets Hackers and Industries in China and the U.S.
Security researchers have uncovered a new PHP malware possibly linked to the Chinese hacking group Winnti (APT 41). The malware, named Glutton, is a highly modular ELF-based backdoor seen used against popular PHP frameworks such as ThinkPHP, Laravel, Yii, and Dedecms. Researchers believe Glutton could be linked to Winnti, but ties are not certain as the malware is uncharacteristically conspicuous. Glutton does not encrypt command-and-control communications, and its samples are not obfuscated. The malware was discovered in April 2024, and campaigns could have begun as early as December 2023. The malware’s code execution occurs within PHP or PHP-FRM processes, maintaining stealth via fileless execution. Glutton modifies system files to establish persistence between reboots and can exfiltrate data from the victim filesystem. The backdoor supports twenty-two (22) commands and is designed to harvest system information, provide persistent access to the victim system, and perform code injection. Initial access is unknown, although researchers believe that is achieved through the exploitation of vulnerabilities and brute-force attacks. The backdoor is also unique because it has been found embedded in software packages sold on cybercrime forums, likely targeting other hackers. Once downloaded, Glutton deploys a “HackBrowserData” tool to steal information such as passwords, cookies, credit card information, and browsing history from web browsers. CTIX analysts will continue to report on new and emerging forms of malware and associated campaigns.
Threat Actor Activity
Hackers Leak Telecom Namibia's Data Following an Unpaid Ransom Demand
Namibia’s state-owned telecom provider, Telecom Namibia, confirmed a data leak on the dark web following a ransomware attack by Hunters International. The attack led to the public release of customer data after Telecom Namibia refused to negotiate with the hackers over a ransom. CEO Stanley Shanapinda emphasized the company's stance against negotiating with cybercriminals, citing the ridiculous demands and lack of guarantee against data leaks even if a ransom were paid. The specific data stolen was not detailed by the company, but local media reported that over 400,000 files were accessed, including personal and financial data from high-ranking government officials and clients. However, the company released a statement adding that they have measures in place to safeguard confidential and sensitive data. Telecom Namibia is currently analyzing the leaked data and collaborating with law enforcement to minimize further exposure and risk. The company also warned that sharing the leaked data could constitute a criminal offense after reports emerged that the leaked data has allegedly been circulating social media. Hunters International, a group known for ransomware-as-a-service (RaaS) operations, emerged in October 2023, and was suspected to be a rebrand of the Hive ransomware operation dismantled by the FBI in January 2023. However, the group denies this connection, claiming to be a new entity that acquired the encryptor source code from Hive developers. Hunters International is notorious for targeting industries such as health, automotive, and finance.
Vulnerabilities
Critical OpenWrt Vulnerability Leaves Firmware Update Server Exposed to Exploitation
A critical security vulnerability has been discovered in OpenWrt's Attended Sysupgrade (ASU) feature, exposing users to risks of installing malicious firmware. The flaw, tracked as CVE-2024-54143, with a CVSS score of 9.3/10, involves command injection in the image builder and truncated 12-character SHA-256 hashes. Unsanitized user-supplied package names can be incorporated into build commands, allowing attackers to inject arbitrary commands and create malicious firmware signed with legitimate keys. The truncated hashes reduce entropy, enabling hash collisions that allow attackers to replace legitimate firmware with compromised versions during the build process. Exploitation requires no authentication, only the ability to submit crafted build requests, posing a significant supply chain risk. OpenWrt confirmed that no official firmware images were affected and has patched the vulnerability in ASU version 920c8a1. Users are strongly advised to update their firmware immediately, and public and self-hosted ASU instances should apply the patch to prevent exploitation. While no evidence suggests that the vulnerability has been exploited in-the-wild, the risk of malicious firmware infiltration remains severe, making timely updates essential. CTIX analysts urge any affected users to update their instances immediately to prevent exploitation.
© Copyright 2024. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice
