Malware Activity
New Eldorado Ransomware-as-a-Service Emerges
Researchers at Group-IB have identified a new Ransomware-as-a-Service (RaaS) operator dubbed "Eldorado" after posing as a potential affiliate to gain access to the Eldorado encryptor. Promotion of the Eldorado RaaS was first observed in March 2024, when an advertisement of the ransomware was posted on the popular dark web forum "RAMP". Based on Eldorado's data leak site, sixteen (16) companies have been attacked so far, most of which are based in the USA. Group-IB's analysis of the encryptor determined the ransomware is not based on previous builders, suggesting that Eldorado is not an offshoot of an existing ransomware group. Eldorado is written Golang, which is known for being versatile across platforms. The ransomware is available in four (4) formats targeting Windows OS and VMware ESXi hypervisors. The builder for the ransomware needs either domain administrator credentials or the NTLM hash for successful encryption. Files that are encrypted are appended with the extension ".00000001", and the ransom note: "HOW_RETURN_YOUR_DATA.TXT" is left in the Documents and Desktop folders of the victim machine. The ransomware utilizes SMB communication protocol to encrypt files on shared networks, self-deletes after encryption, and removes shadow volume copies on Windows operating systems. Based on Group-IBs research, operators behind Eldorado are Russian-speaking. CTIX analysts will continue to report on new and emerging forms of malware and associated campaigns.
Threat Actor Activity
Global Operation Shuts Down Nearly 600 Cyber Criminal Servers Linked to Cobalt Strike
Operation Morpheus, a significant international law enforcement effort coordinated by Europol, has successfully targeted and dismantled nearly 600 servers associated with the Cobalt Strike framework, a tool notoriously exploited by cybercriminals for network infiltration, ransomware attacks, and cyberespionage. This operation, which took place in late June, involved law enforcement authorities from multiple countries including Australia, Canada, Germany, the Netherlands, Poland, and the United States. The operation was led by the United Kingdom's National Crime Agency and also involved cooperation from the private sector. Originally developed by Fortra (formerly Help Systems) as a legitimate penetration testing tool for identifying security vulnerabilities, Cobalt Strike has been widely misappropriated by cybercriminals and state-backed actors due to its powerful capabilities in facilitating unauthorized network access and surveillance. The operation aimed to address the misuse of older, unlicensed versions of Cobalt Strike, which have become a preferred instrument in the arsenal of various threat actors, including those operating on behalf of foreign governments like Russia, China, Vietnam, and Iran. Throughout the span of the investigation that began in 2021, law enforcement shared over seven hundred thirty (730) pieces of threat intelligence and nearly 1.2 million indicators of compromise, showcasing the extensive and collaborative effort to combat the misuse of Cobalt Strike. The crackdown involved identifying and flagging six hundred ninety (690) IP addresses in twenty-seven (27) countries to online service providers, leading to the takedown of five hundred ninety-three (593) of these addresses. Despite the success of Operation Morpheus and similar initiatives, experts acknowledge that the threat from ransomware and cyberespionage remains significant. Cybercriminals and nation-state actors are likely to adapt by seeking alternative tools and methods for conducting their operations. The actions against Cobalt Strike servers represent a crucial but partial victory in the ongoing battle against cybercrime.
- The Hacker News: Cobalt Strike Article
- The Record: Cobalt Strike Article
- Bleeping Computer: Cobalt Strike Article
Vulnerabilities
Chinese Threat Actor Exploits Cisco Switch Zero-Day Vulnerability
Chinese state-sponsored hackers, known as the Velvet Ant group, exploited a newly discovered zero-day vulnerability in Cisco's NX-OS software used in Nexus-series switches. This command injection flaw, tracked as CVE-2024-20399, allows authenticated local attackers to execute commands as root, enabling the deployment of custom malware for remote access, file uploads, and code execution on vulnerable devices. Discovered by cybersecurity firm Sygnia, this vulnerability stems from inadequate validation of CLI command arguments, allowing malicious commands to be executed without triggering syslog messages. The affected devices include various Cisco Nexus and MDS 9000 series switches. Despite the critical nature of the flaw, exploitation requires administrator credentials. Velvet Ant's sophisticated and stealthy espionage tactics aim for long-term network access, previously maintaining multiple footholds within a company for three (3) years using outdated F5 BIG-IP equipment to collect sensitive data. Cisco has issued updates to address the vulnerability but noted no workarounds exist. This development underscores the challenges in monitoring and securing network appliances, often inadequately protected and infrequently monitored. CTIX analysts recommend all users of Nexus-series switches ensure that they are running the most recent software update to prevent exploitation.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.