Ankura CTIX FLASH Update - May 3, 2024

Ransomware/Malware Activity

Cuttlefish Malware Monitors and Hijacks Traffic on SOHO Devices

Researchers at Black Lotus Labs have recently reported on a new version of malware targeting small office/home office (SOHO) routers. The Cuttlefish malware is designed to steal traffic relating to credentials and hijack DNS and HTTP traffic associated with communications on the internal network. It is currently unclear how the attackers behind the Cuttlefish malware gain initial access to the victim routers. Once initial access is gained, the attackers deploy a bash script that downloads the Cuttlefish payload and gathers the host data to send back to the attackers' command-and-control (C2) server. The Cuttlefish malware is built to infect all major router architectures. Its first step is to configure a packet filter that monitors all connections through the router. The filter is coded so that only traffic matching certain criteria is sent back to the C2 server. Cuttlefish searches for any packets with credential markers typically associated with authentication information in GET and POST requests. Researchers note that the packet sniffer emphasizes looking for packets associated with public cloud-based services. Cuttlefish can also hijack traffic destined for a private IP address by redirecting DNS and HTTP requests, which ultimately can allow the attacker to gain access to resources on the internal network. The latest Cuttlefish campaign has been ongoing since October 2023 and has been seen primarily targeting victims in Turkey utilizing one (1) of two (2) telecommunications providers. Cuttlefish is an especially dangerous threat to organizations as it can bypass network segmentation measures and is positioned on the router which often does not support endpoint monitoring technology. CTIX analysts will continue to report on new and evolving forms of malware and associated campaigns.

• Bleeping Computer: Cuttlefish Article
• The Hacker News: Cuttlefish Article
• Lumen Blog: Cuttlefish Article

Threat Actor Activity

US Govt and its Partners Publish Advisory Warning of Russian Threats to Critical Infrastructure OT Systems

The dangers posed to US critical infrastructure are mounting once again, warranting calls for urgent action to help keep these systems protected. A large number of US agencies and its partners, including CISA, FBI, NSA, EPA, USDA, and FDA, as well as the Multi-State Information Sharing and Analytics Center (MS-ISAC), Canada's Centre for Cyber Security (CCCS), and the United Kingdom's National Cyber Security Centre (NCSC-UK), have released a joint advisory warning that pro-Russian hacktivists are targeting North American and European critical infrastructure, hacking into unsecure operational technology (OT) systems to disrupt operations. OT devices are used to monitor and control physical processes and activities in manufacturing, critical infrastructure, supply chain, and other industries that can lead to physical threats if compromised. The joint advisory notes that none of the reported intrusions they've identified have led to operational impacts, but as observed in the attack on the Texas water facility in April 2024, the intrusion into the facility's OT systems caused pumps to exceed their normal operation parameters leading to one (1) tank overflowing. Based on the additional targeting of industrial control system in North America and Europe and the techniques the threat actors are using, the advisory offers mitigation recommendations for critical infrastructure organizations. The recommendations include hardening human machine interfaces (HMIs) and putting them behind firewalls, enabling multifactor authentication (MFA), applying the latest security updates and patches, changing default passwords, and increasing overall security postures of their IT environments to meet the rising threats. CTIX analysts recommend readers involved in overseeing critical infrastructure security take a further look at the advisory, linked below.

• Bleeping Computer: Russian Advisory Article
• The Record: Russian Advisory Article
• US Government: Russian Advisory Report

Vulnerabilities

Actively Exploited GitLab Vulnerability Poses Severe Supply Chain Risk

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning about an actively exploited critical vulnerability in GitLab, which has been added to its Known Exploited Vulnerabilities (KEV) catalog. This maximum severity flaw, tracked as CVE-2023-7028 (CVSS score of 10/10), introduced in a May 2023 update, allows attackers to hijack accounts by redirecting password reset emails to unauthorized addresses. Although accounts with two-factor authentication are only susceptible to password resets and not full account takeovers, the potential for significant security breaches is high. The successful exploitation of this vulnerability could lead to serious security breaches, including the theft of sensitive data and credentials, and the insertion of malicious code into source code repositories, potentially resulting in devastating supply chain attacks. GitLab has responded by releasing patches for several versions to mitigate this issue. CISA has mandated that all Federal Civilian Executive Branch (FCEB) agencies apply these updates by no later than May 22, 2024, to secure their networks against such threats. CTIX analysts urge all administrators to ensure they have patched this vulnerability. Additionally, administrators who suspect their organization has already been compromised are advised to consult GitLab's incident response guide for guidance.

• The Hacker News: CVE-2023-7028 Article
• Bleeping Computer: CVE-2023-7028 Article
• GitLab: Incident Response Guide

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.