Ransomware/Malware Activity
New Attack Campaign Targets Chrome Browser Extensions
On December 27, 2024 cybersecurity firm Cyberhaven disclosed an attack against its browser extension resulting in the release of a malicious version that was available for just over a day before it was discovered and taken down. In their disclosure, Cyberhaven explained that the threat actor sent an employee a phishing email that spoofed Google Chrome Web Store Developer Support and urged the employee to click a link to accept developer program policies and grant permissions to a malicious application named “Privacy Policy Extension”. With permissions granted, the attacker uploaded a malicious version of the Chrome extension to the web store which included code built to communicate with a command-and-control server, download additional configuration files, and exfiltrate user data. Upon this discovery, cybersecurity researchers also unveiled additional extensions that have potentially been similarly compromised, indicating that the attack on Cyberhaven is part of a broader campaign. Researchers have published the names and versions of over thirty (30) other browser extensions that have likely been compromised. Analysis of the code found in the malicious Cyberhaven extension reveals that it targets exfiltration of identity data and access tokens of Facebook accounts primarily. The code listens for mouse click events on the facebook[.]com website and checks for images containing the string “qr/show/code” in the src attribute. Researchers believe that the intent of this code is to search for QR codes related to two-factor authentication requests. CTIX analysts recommend that individuals and organizations review the list of potentially compromised extensions to ensure they are not impacted. CTIX analysts will continue to report on new and emerging forms of malware and associated campaigns.
Threat Actor Activity
U.S OFAC Sanctioned Iranian and Russian Entities for Presential Election Interference
The U.S. Treasury Department's Office of Foreign Assets Control (OFAC) has sanctioned entities in Iran and Russia for attempting to interfere with the 2024 U.S. presidential election. These entities, linked to Iran's Islamic Revolutionary Guard Corps (IRGC) and Russia's Main Intelligence Directorate (GRU), were involved in disinformation campaigns aimed at influencing the electoral outcome and creating socio-political tensions in the U.S. In August 2024, the Office of the Director of National Intelligence (ODNI), the FBI, and CISA accused Iran of cyber operations targeting U.S. elections. Meta also blocked WhatsApp accounts used by Iranian actors, linked to the IRGC's Charming Kitten group, targeting individuals in multiple countries. Criminal charges were later unsealed against three (3) Iranian nationals for targeting U.S. government personnel to steal sensitive data. The latest Iranian entity sanctioned is the Cognitive Design Production Center (CDPC). A Moscow-based affiliate, the Center for Geopolitical Expertise (CGE), was also sanctioned. Founded by Aleksandr Dugin, CGE is involved in creating and distributing deepfakes and disinformation using generative AI, supported financially by the GRU. This operation was designed to influence U.S. elections and included manipulating a viral video to sow disagreement. The GRU provided CGE with financial support to maintain AI infrastructure and a network of websites used in disinformation operations. Valery Korovin, a GRU officer, coordinated these operations, leveraging Russian proxy websites and fake personas to mask the Kremlin's involvement. These sanctions are part of ongoing U.S. efforts to counter foreign election interference, following similar actions against Iranian and Russian entities accused of hacking and spreading disinformation in previous elections.
Vulnerabilities
Four-Faith Router Vulnerability Exploited by Threat Actors to Drop Reverse Shells
Threat actors are actively exploiting a command injection vulnerability, in Four-Faith industrial routers to deploy reverse shells and gain full remote access to affected devices. The flaw tracked as CVE-2024-12856 (CVSS 7.2), impacts router models F3x24 and F3x36, commonly used in critical sectors like energy, transportation, and telecommunications. This OS command injection issue, which requires authentication but is often circumvented due to default credentials, allows attackers to execute arbitrary commands via HTTP POST requests targeting the "/apply.cgi" endpoint and its "adj_time_year" parameter. With approximately 15,000 internet-facing routers at risk, attackers exploit the vulnerability to manipulate device configurations, establish persistence, and escalate attacks within connected networks. The exploitation, observed since November 2024, mimics techniques used for CVE-2019-12168 but employs distinct payloads. VulnCheck discovered the malicious activity and alerted Four-Faith on December 20, 2024, but a security patch remains pending. CTIX analysts urge users to update firmware, change default credentials, and implement Suricata rules to detect and block exploitation attempts while awaiting mitigation guidance from Four-Faith.
© Copyright 2025. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice
