Malware Activity
New cybersecurity threats have been discovered
- Several new cybersecurity threats have been discovered, including a malicious proof-of-concept (PoC) exploit for the "LDAPNightmare" vulnerability on GitHub, which infects users with infostealer malware that exfiltrates sensitive data. Additionally, ransomware attacks on VMware ESXi servers have surged, with attackers targeting the vCenter server and exploiting the "vpxuser" account to gain control and demand ransoms averaging $5 million. A new credit card skimmer campaign has also been discovered, targeting WordPress e-commerce checkout pages with stealthy malware that injects malicious JavaScript code and captures sensitive payment details. Furthermore, a new AI-assisted ransomware family called FunkSec has emerged, using double-extortion tactics and demanding low ransoms, while also selling stolen data to third parties. To protect against these threats, users and organizations are advised to exercise caution when sourcing public exploits, implement robust security measures, and enhance detection and prevention capabilities to safeguard sensitive data and prevent devastating cyber-attacks. CTIX analysts will continue to report on the latest malware strains and attack methodologies.
Threat Actor Activity
New 'Codefinger' Hackers Targeting Amazon S3 Cloud Storage Buckets
- Threat actors are using ransomware to target Amazon S3 buckets by using Amazon Web Services' (AWS) Server-Side Encryption with Customer Provided Keys (SSE-C). The campaign is led by a threat actor group named "Codefinger," which has encrypted the data of at least two (2) victims so far. This tactic represents a significant evolution in ransomware capabilities, and there is concern it could be adopted by other threat actors. Amazon S3 is a widely used cloud storage service, and SSE-C allows customers to encrypt their data using their own keys. In the attacks, Codefinger exploits compromised AWS credentials with specific privileges ('s3:GetObject' and 's3:PutObject') to encrypt objects in S3 buckets. The attackers generate an encryption key locally, making data recovery impossible without the attacker’s cooperation, as AWS does not store these keys. To pressure victims into paying ransoms, Codefinger sets a seven-day file deletion policy using the S3 Object Lifecycle Management API and drops ransom notes in affected directories. The notes instruct victims to pay a ransom in Bitcoin in exchange for the decryption key and warn against altering AWS account permissions, threatening to terminate negotiations if such actions are taken. S3 buckets have long been targeted due to often being left exposed, leading to data breaches. Ransomware actors have previously exploited legitimate encryption tools, like Microsoft’s Bitlocker, to encrypt customer data. These findings have been reported to Amazon, which has been proactive in notifying affected customers and investigating exposed keys. AWS encourages customers to implement strict security protocols, such as disabling unused keys, frequently rotating active ones, and minimizing account permissions. Additionally, AWS advises against storing credentials in source code or configuration files. AWS provides resources for customers to protect themselves and urges those affected to contact support.
Vulnerabilities
PoC Exploit Published for Zero-Click Samsung Vulnerability
- A critical vulnerability in the Monkey's Audio (APE) decoder, affecting Samsung devices running Android 12, 13, and 14, including the S23 and S24 models, has been discovered by Google Project Zero researcher Natalie Silvanovich. The flaw, tracked as CVE-2024-49415 (CVSS score: 8.1/10), involves an out-of-bounds write in the "saped_rec" function within the libsaped.so library, where a specially crafted APE audio file can overflow a buffer allocated by the C2 media service. This zero-click exploit requires no user interaction and is particularly concerning for devices with Rich Communication Services (RCS) enabled in Google Messages, as the transcription service automatically decodes incoming audio messages before user interaction. Silvanovich highlighted the risk of adjacent non-DMA data being affected by the overflow, raising concerns about potential remote code execution (RCE). In a hypothetical attack, a malicious audio message could cause the media codec process to crash, and under certain conditions, allow an attacker to gain control of the device. Samsung addressed the issue by adding input validation in its December 2024 security update and urged users to install the latest patches. The same update also resolved another high-severity vulnerability (CVE-2024-49413, CVSS score: 7.1) in SmartSwitch, which could allow local attackers to install malicious apps through improper cryptographic signature verification. CTIX analysts recommend that Samsung users ensure they have the most up-to-date patch installed on their devices to prevent future exploitation.
© Copyright 2025. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice
