Malware Activity
GXC Team Cybercrime Group Harnesses AI for Vishing
Researchers at Group-IB have been tracking sophisticated phishing campaigns associated with the cybercrime group "GXC Team" which has targeted customers of financial institutions since January 2023. The GXC Team operation is notable as it bundles an AI-powered Phishing-as-a-Service (PhaaS) platform with Android malware designed to steal one-time passwords (OTPs). GXC Team advertises their criminal services in dark web forums and private telegram channels, selling their phishing kit and malware bundle for $500 per month. GXC Team-linked campaigns have targeted users of over thirty-six (36) Spanish banks and thirty (30) institutions worldwide including cryptocurrency exchanges in the United States. Researchers have identified at least 250 phishing domains linked to these campaigns. The attacks typically begin with a smishing (SMS-phishing) message impersonating the victim's financial institution, luring victims into clicking a link which takes them to a spoofed banking page requesting credentials. Depending on the attack's success and pretext, victims could receive a phone call by an AI-powered voice caller generated by prompts to convince victims to provide two-factor authentication (2FA) codes, to install Android malware, or to divulge additional identifying information. Attackers try to deceive victims into installing Android malware, claiming it is an application designed to prevent fraud attempts, when the application was designed to steal SMS OTPs. The malware pretends to be a legitimate banking application that when installed and opened, requires the user to configure the application to be the "default SMS app" which gives it permission to read SMS messages containing OTPs which are forwarded to a Telegram chat controlled by the attacker. The discovery of these campaigns highlights the creative combination of exploits cybercriminals are deploying to increase the likelihood of a successful attack. Group-IB includes prevention and mitigation recommendations for financial institutions and customers in their recent post linked below. CTIX analysts will continue to report on new and emerging strains of malware and their associated campaigns.
Threat Actor Activity
Hacktivist Targets Middle Eastern Financial Institution with 100 Hour DDoS Attack
A hacktivist group called SN_BLACKMETA recently executed a significant distributed denial-of-service (DDoS) attack against an unnamed financial institution in the Middle East. The attack, which spanned six (6) days and totaled approximately one hundred (100) hours, featured multiple waves of traffic peaking at 14.7 million requests per second (RPS). Despite the intensity of the attack, the financial institution managed to maintain its services without disruption. SN_BLACKMETA, which organizes and publicizes its activities through Telegram and X accounts, employs InfraShutdown, a DDoS-for-hire service, to facilitate their attacks. Their tactics involve overwhelming websites with traffic to render them temporarily unavailable. The attack on the financial institution follows a pattern of targeting critical infrastructure, including banks, telecommunications, and government websites across the Middle East. The group's activities and attack methods resemble those of Anonymous Sudan, with significant overlaps in targeted countries. SN_BLACKMETA's operations are part of a broader strategy to disrupt entities they view as complicit in injustices against Palestinians and Muslims overall. Their attacks have expanded to include prominent tech companies like Microsoft and Yahoo, reflecting a methodical approach to broadening their impact and visibility. The group's connection to Russia is suggested by language use and activity patterns, although their primary focus remains on Palestinian issues. This incident underscores the persistent threat posed by hacktivist groups employing sophisticated DDoS tactics for political agendas.
Vulnerabilities
'PKFail' Secure Boot Bypass Vulnerability Impacts Millions of Devices
Researchers have uncovered a significant security vulnerability affecting millions of computer systems using Intel and ARM microprocessors from multiple vendors. The issue arises from the use of a compromised Platform Key (PK) from American Megatrends International (AMI), which serves as the root of trust in the Secure Boot process. This key, leaked in 2018, was not replaced by downstream vendors, leading to its inclusion in numerous devices. The vulnerability, dubbed "PKFail," allows attackers to bypass Secure Boot protections, enabling them to manipulate critical databases and deploy persistent malware like UEFI bootkits. The flaw affects major vendors, including Lenovo, HP, Asus, and SuperMicro. To mitigate the PKFail issue, vendors should generate and manage the Platform Key using cryptographic key management best practices, such as utilizing Hardware Security Modules. Additionally, it is crucial to replace any test keys provided by independent BIOS vendors, like AMI, with securely generated keys of their own. Although the fix involves replacing the compromised key and issuing firmware updates, the widespread use of the same key across different devices amplifies the risk. The situation highlights the critical need for proper cryptographic key management in the device supply chain to prevent such security lapses. CTIX analysts urge impacted users to follow their vendor guidance and be on the lookout for firmware patches if they haven't been shipped yet.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.