ARTICLE
24 July 2023

Ankura CTIX FLASH Update - July 21, 2023

AC
Ankura Consulting Group LLC

Contributor

Ankura Consulting Group LLC logo
Ankura Consulting Group, LLC is an independent global expert services and advisory firm that delivers end-to-end solutions to help clients at critical inflection points related to conflict, crisis, performance, risk, strategy, and transformation. Ankura consists of more than 1,800 professionals and has served 3,000+ clients across 55 countries. Collaborative lateral thinking, hard-earned experience, and multidisciplinary capabilities drive results and Ankura is unrivalled in its ability to assist clients to Protect, Create, and Recover Value. For more information, please visit, ankura.com.
Explore
Researchers have attributed two (2) new Android spyware variants to the China-linked advanced persistent (APT) group APT41 (otherwise known as Winnti, Wicked Panda, and BARIUM)
United States Technology
Person photo placeholder
Authors
To print this article, all you need is to be registered or login on Mondaq.com.

Malware Activity

Two Spyware Variants "WyrmSpy" and "DragonEgg" Recently Attributed to China-Linked Threat Group APT41

Researchers have attributed two (2) new Android spyware variants to the China-linked advanced persistent (APT) group APT41 (otherwise known as Winnti, Wicked Panda, and BARIUM). APT41 has been active since 2012 and historically targeted both public and private organizations, such as "nation-state governments, software development companies, computer hardware manufacturers, telecommunications providers, social media companies, and video game companies," with the goal of financial gain as well as espionage. Researchers noted that it is rare for APT41 to be exploiting mobile platforms, as the group typically exploits web-facing applications and traditional endpoint devices. APT41 has been linked to two (2) Android spyware variants, "WyrmSpy" and "DragonEgg", which are detailed by researchers as having sophisticated data collection and exfiltration capabilities. The two (2) malware variants have been observed with overlapping Android signing certificates and have infrastructure that is shared with APT41 from between May 2014 and August 2020. Researchers also explained that WyrmSpy and DragonEgg have different targeting scopes and are believed with medium confidence to be delivered through social engineering. WyrmSpy primarily disguises itself as a "default operating system app" for Android and is known to escalate its privileges once executed on a victim device. The malware then performs spyware functions, including uploading log files, photos, and device location. The malware also potentially collects audio recordings and SMS messages. DragonEgg disguises itself as "third-party keyboard or messaging apps" and is known to request various permissions from the device. The malware potentially collects device contacts, location, photos, audio recording, SMS messages, and external device storage files. CTIX analysts will continue to monitor emerging spyware and provide campaign details as available. Indicators of compromise (IOCs) and technical details can be viewed in the report linked below.

Threat Actor Activity

FIN8 Actors Shifting to Ransomware

The FIN8 threat organization has begun to shift their modus operandi to include ransomware attacks from several malware families. FIN8, also tracked as Syssphinx, is a well-established financially motivated cybercriminal operation that has been active since early 2016, often targeting retail, insurance, hospitality, technology, financial and chemical outlets. Often employing social engineering and spearphishing as their delivery tactics, FIN8 actors deploy customized malware onto their target's machine to harvest system information, execute commands, and prepare second-stage malware. Recently, security researchers have observed FIN8 actors using multiple ransomware families in recent attacks including "Ragnar Locker" ransomware from Viking Spider, the "White Rabbit" ransomware, and the "Noberus" ransomware variant often employed by ALPHV/BlackCat. Specific cases in which these ransomwares were deployed go back to June 2021, where FIN8 deployed Ragnar Locker ransomware on a compromised entity within a United States financial institution. More recent FIN8 attacks include deployment of the White Rabbit ransomware on an unclassified entity in early 2022, followed by a Noberus ransomware deployment in late 2022. FIN8 threat actors continue to not only evolve their malware arsenal but continue to change tactics to broaden their attack capabilities. CTIX continues to monitor threat actor activity worldwide and will provide additional updates accordingly.

Vulnerabilities

Critical Vulnerabilities in MegaRAC BMC Pose Threat to Technology Supply Chain

Hardware and software manufacturer American Megatrends International has been made aware of two (2) critical vulnerabilities in their MegaRAC Baseboard Management Controller (BMC) firmware that, if chained together, could allow unauthenticated attackers to bypass authentication, attain root privileges, and conduct remote code execution (RCE). MegaRAC BMC is a popular firmware used by multiple server manufacturers including AMD, Asus, ARM, Dell EMC, Gigabyte, Lenovo, Nvidia, Qualcomm, Hewlett-Packard Enterprise, Huawei, Ampere Computing, and ASRock to give administrators full remote hardware control in cloud environments. The first and most severe vulnerability, tracked as CVE-2023-34329, is an authentication bypass with a CVSS score of 9.9/10, and the second flaw, tracked as CVE-2023-34330, is a code injection vulnerability with a CVSS score of 6.7/10. These flaws are exploitable by an unauthenticated attacker who has gained access to the network. Combining the two (2) vulnerabilities is achievable from either a compromised host operating system, or through sending malicious HTTP requests to DMTF's Redfish, an "API standard for the management of a server's infrastructure and other infrastructure supporting modern data centers." The chaining of the two (2) vulnerabilities has a combined CVSS score of 10/10 and were discovered by security researchers from Eclypsium after examining AMI source code that was stolen by the RansomEXX ransomware gang during a network breach of GIGABYTE in 2021. According to Eclypsium's report, these vulnerabilities pose a major risk to the technology supply chain underlying cloud computing. If properly exploited, they could allow threat actors to take "remote control of compromised servers, deploy malware/ransomware, as well as "firmware implanting or bricking motherboard components (BMC or potentially BIOS/UEFI), potential physical damage to servers (over-voltage/firmware bricking), and indefinite reboot loops that a victim organization cannot interrupt." The flaws have not yet been patched, and Eclypsium has offered mitigation techniques for hardening remote management interfaces, which are linked in the report below. CTIX analysts will continue to follow this matter and will publish updates as necessary.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Person photo placeholder
Ankura Consulting Group LLC
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More