Malware Activity
Midnight Blizzard Uses RDP Proxies for MiTM Attacks
Researchers have discovered 193 remote desktop protocol (RDP) proxy servers provisioned as part of a malicious attack likely orchestrated by the Russian threat actor Midnight Blizzard (APT 29). The attacks are spear-phishing campaigns targeting government and military organizations, IT providers, telecommunications, and cybersecurity companies in countries such as the U.S., France, Australia, Ukraine, Israel, and Germany. The goal of the campaign is to lure victims into running a malicious RDP configuration file, which when opened instructs the victim to connect to an RDP server with a legitimate looking hostname. In order to minimize suspicious warnings and the need for user interactions common with RDP sessions, the attacks use a man-in-the-middle (MiTM) proxy in front of the rogue RDP servers using the Python Remote Desktop Protocol MitM tool PyRDP. The setup enables the attacker to pose as a legitimate RDP server to the victim while deploying malicious scripts, accessing the victim file system, and modifying files. The PyRDP proxy allows attackers to extract sensitive data from the victim system such as passwords, files, and data from shared drives without alerting the victim. This campaign is an example of how attackers can compromise machines without installing malware. Organizations should ensure they have controls in place for unauthorized RDP usage and educate users against running RDP configuration files received via email. CTIX analysts will continue to report on new and emerging forms of malware and associated campaigns.
Threat Actor Activity
Threat Actors Stole Over $2.2 Billion From Crypto Platforms in 2024
In 2024, more than $2 billion worth of cryptocurrency was stolen from crypto platforms, marking the fifth consecutive year that thefts have exceeded $1 billion. The number of incidents increased to 303 in 2024, from 282 in 2023, with losses reaching $1.5 billion between January and July alone. This surge put the industry on track for $3 billion in thefts for the year, although the frequency and size of attacks diminished after significant breaches at Japanese platform DMM Bitcoin and Indian company WazirX. The DMM Bitcoin hack, resulting in a $305 million loss, forced the platform to shut down and sell its assets to SBI Group. The stolen funds were traced and laundered through various platforms, ultimately being cashed out on the Cambodian platform Huione Guarantee, linked to organized crime. Meanwhile, Indian authorities arrested a suspect in connection with the $235 million WazirX theft. North Korean hacking groups were responsible for a significant portion of these thefts, stealing $1.34 billion across forty-seven (47) incidents in 2024, a substantial increase from $660.50 million in twenty (20) attacks in 2023. The growing frequency and scale of North Korean crypto heists are of note, which the regime uses to bypass international sanctions and fund its ballistic missile programs. Notably, attacks valued between $50 million and over $100 million became more common in 2024 compared to previous years. Despite some of the largest hacks being attributed to North Korean actors, they have also begun targeting smaller amounts from minor platforms. However, a decline in attacks by North Korean groups was observed after July, attributed to a summit between Russian President Vladimir Putin and North Korean leader Kim Jong Un. Consequently, the DPRK's stolen amounts decreased by approximately 53.73%, while non-DPRK thefts increased by 5%.
Vulnerabilities
Critical Fortinet Vulnerability Can be Exploited to Grant Attackers Administrator Access
Fortinet has released critical security updates for vulnerabilities in its Wireless LAN Manager (FortiWLM) and FortiManager products, urging immediate patching to prevent exploitation. The most severe vulnerability, tracked as CVE-2023-34990, with a CVSS score of 9.6/10, is a relative path traversal flaw affecting FortiWLM versions 8.6.0 through 8.6.5 and 8.5.0 through 8.5.4. This flaw allows unauthenticated remote attackers to read sensitive files, retrieve administrator session ID tokens, and impersonate administrators, exploiting static session IDs to gain full control over vulnerable devices. The vulnerability, first reported by Zach Hanley of Horizon3.ai, can also be combined with another vulnerability (CVE-2023-48782) to achieve remote code execution (RCE). Meanwhile, Fortinet also patched a high-severity OS command injection flaw (CVE-2024-48889) in FortiManager, which could allow authenticated remote attackers to execute arbitrary code under specific conditions. These flaws, while not yet reported to be exploited in-the-wild, represent significant security risks, making it crucial for users to update FortiWLM to versions 8.6.6 or 8.5.5 and FortiManager to its latest patched versions to protect their systems. CTIX analysts recommend that any affected administrators ensure that they are running the most recent secure patch to prevent future exploitation of these flaws.
© Copyright 2024. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice
