Weekly Cyber Reports

This Week in Cyber 02nd February 2024

Latest news and views from our Cyber Analysts

Written by

Team Nucleus

Written on

2nd February, 2024


Analyst Insight

This week's cyber news highlights critical vulnerabilities discovered in Ivanti systems, actively exploited by a nation-state actor to deploy malware. Additionally, a new strain of Albabat ransomware has surfaced, employing various tactics to target individuals, while the notorious Log4Shell exploit resurfaces through FritzFrog. The persistent threat of ransomware in 2024 is evident, most recently impacting companies like Schneider Electric which affected over 2000 global companies reliant on energy and resource data. It underscores the importance of robust cybersecurity measures for both home and business networks. Telesoft's MDR service emerges as a compelling solution, offering enhanced security to fortify overall cyber defenses. 


Albabat Ransomware - Users Are Not Safe


Whilst most Ransomwares attempt to target high profile companies, often in carefully coordinated attacks, some ransomwares have stared to spread their wings and focus primarily on every day operations of individuals. Albabat is one such example. With claims of being able to target Windows and Linux platforms, it has a wide reach. Yet the preference for targetting individuals is exhibited by the fact it targets files under 5MB in size and even targets the executables for various popular games. This does not mean that companies are safe, far from, for the nature of its distribution means that is perfectly capable of finding its way into a corporations network. Active monitoring of network communications, ensuring validity of software before execution and download, and use of threat-intelligence are all methods that can help keep you safe in this ransomware armageddon. 


FritzFrog Brings back the Infamous Log4Shell


The notorious peer-to-peer (P2P) botnet FritzFrog has resurfaced with a new variant that exploits the Log4Shell vulnerability to spread within compromised networks. This Golang-based malware, first identified by Guardicore (now part of Akamai) in August 2020, primarily targets internet-facing servers with weak SSH credentials. It has since evolved to attack healthcare, education, and government sectors, deploying cryptocurrency miners on infected hosts. The latest version uses the Log4Shell vulnerability as a secondary infection vector, focusing on internal hosts rather than vulnerable public assets.

When the Log4Shell vulnerability was first discovered, internet-facing applications were prioritized for patching due to their high risk of compromise. However, internal machines, which were less likely to be exploited, were often overlooked and remained unpatched — a situation that FritzFrog capitalizes on. This means that even if internet-facing applications have been patched, a breach of any other endpoint can expose unpatched internal systems to exploitation and propagate the malware. The SSH brute-force component of FritzFrog has also been updated to identify specific SSH targets by enumerating several system logs on each of its victims. Another significant change in the malware is the use of the PwnKit flaw (CVE-2021-4034) to achieve local privilege escalation. FritzFrog continues to employ tactics to remain hidden and avoid detection, taking special care to avoid dropping files to disk when possible.

This is achieved through the shared memory location /dev/shm, which has also been used by other Linux-based malware such as BPFDoor and Commando Cat, and memfd_create to execute memory-resident payloads. The disclosure comes as Akamai revealed that the InfectedSlurs botnet is actively exploiting now-patched security flaws (from CVE-2024-22768 through CVE-2024-22772, and CVE-2024-23842) impacting multiple DVR device models from Hitron Systems to launch distributed denial-of-service (DDoS) attacks.


Nation-State Actor Exploits Zero-Days in Ivanti VPN, Deploys Rust-Based Malware


A nation-state threat actor, tracked as UTA0178 (UNC5221 by Mandiant), has been exploiting zero-day vulnerabilities (CVE-2023-46805 and CVE-2024-21887) in Ivanti Connect Secure (ICS) VPN devices since December 3, 2023. These flaws allow unauthenticated remote code execution with CVSS scores of 8.2 and 9.1, respectively. Although patches have been delayed, Ivanti released a temporary mitigation via an XML file.

The vulnerabilities have been leveraged by other threat actors to deploy XMRig cryptocurrency miners and a Rust-based malware named KrustyLoader. KrustyLoader functions as a loader to download and execute the Sliver adversary simulation tool, a Golang-based post-exploitation framework developed by BishopFox. Despite the rise of frameworks like Sliver, Cobalt Strike remains the most observed offensive security tool among attacker-controlled infrastructure in 2023, according to Recorded Future. On the 19th of January CISA issued 'Emergency Directive (ED) 24-01 Mitigate Ivanti Connect Secure and Ivanti Policy Secure Vulnerabilities' in response to these active vulnerabilities stating that updates must be applied to the products within 48 hours of Ivanti releasing the updates.


Cloudflare Compromised by Okta Leak


Cloudflare recently disclosed a breach of its internal Atlassian server by a suspected nation-state attacker. The incident, initiated on November 14, involved unauthorized access to Confluence wiki, Jira bug database, and Bitbucket source code management. The threat actor, using stolen credentials from Okta's breach, attempted to gain persistent access, prompting Cloudflare to swiftly detect and remediate the breach by rotating over 5,000 credentials and implementing network-wide security measures. While customer data remained unaffected, ongoing efforts focus on software hardening and credential management to enhance overall security.


Ransomware Hits Schneider Electric's Sustainability Business

Schneider Electric, a major player in energy management and automation, faced a ransomware attack on its Sustainability Business division, employing the Cactus ransomware. The incident, occurring on January 17, 2024, specifically impacted the EcoStruxure Resource Advisor platform, affecting over 2,000 global companies reliant on energy and resource data monitoring.

In response, Schneider Electric promptly initiated a global incident response, collaborating with cybersecurity experts to contain and restore systems. While investigation into the breach continues, the company assures that other divisions remain unaffected. Despite ongoing efforts, they were unable to restore full functionality by the 31st of Jan. Previous blogs of ours have featured Cactus Ransomware in the past, as far back as 2023, demonstrating the prolific nature of the Malware and the threat it poses as we move further into 2024.


Recommended Posts

Subscribe to Nucleus blog updates.

Subscribe to our newsletter and stay updated.

Subscribe to Nucleus