Ransomware/Malware Activity
Researchers Identified New “RustBucket” Variant with Evolved Capabilities
Researchers have discovered a new variant of the “RustBucket” malware that is currently targeting Apple macOS users. The RustBucket malware family has been previously attributed to BlueNoroff, a North Korean subgroup of the Lazarus Group, and was first identified in April 2023. The variant, described as the “first instance of BlueNoroff malware specifically targeting macOS users,” is known as a second-stage malware that compiles in Swift and, as of June 29, 2023, has zero (0) detections on VirusTotal, a malware analyzing tool. The RustBucket variant has a persistence capability that is new to the RustBucket malware family, where it establishes its own persistence by adding a “plist” file at a specific path and copies its binary to an additional path. The malware is also currently “leveraging a dynamic network infrastructure methodology” for its command-and-control (C2) abilities. The variant dynamically generates a 16-byte ransom value at runtime, which serves as an identifier for the specific malware instance and gathers system information. Once a connection is established with a C2 server, one (1) of two (2) commands are returned to the malware. The first command directs the malware to self-terminate. The second command enables the operator to upload and execute malicious binaries or scripts within the infected machine. Researchers described the victim of the latest RustBucket activity as “a venture-backed cryptocurrency company providing services to businesses such as payroll and business-to-business transactions with a headquarters in the European Union.” RustBucket is currently in active development and CTIX analysts will continue to monitor its evolution. Technical details and indicators of compromise (IOCs) can be viewed in the report linked below.
Threat Actor Activity
High Ranking OPERA1ER Admin Arrested
A top-level threat actor from the OPERA1ER threat organization has been arrested and charged for their involvement with cybercriminal activity over several years. The OPERA1ER group is a financially motivated cybercrime syndicate that has been exploiting financial organizations and telecommunications providers throughout Africa and Francophone nations since 2018. OPERA1ER shares close similarities with another threat operation called Bluebottle, another financially motivated group focused on Africa, Asia, and Latin America. Since their foundation, OPERA1ER actors have exfiltrated over $11 million from banks and telecommunications organizations through several means including malware deployment, social engineering campaigns, and business email compromises. A unique tactic OPERA1ER actors employ is primarily attacking on weekends or major holidays when companies are increasingly vulnerable, and once compromised these actors maintain a hold on their target’s network for several months. After months of coordinated effort between Interpol, AFRIPOL, and other major organizations, an unnamed high-level admin of the group was arrested for their connection to over thirty (30) cyberattacks and millions of dollars in stolen assets. Activity from the OPERA1ER organization is likely to slow following this news and will be a key threat group to watch over the next several months. CTIX continues to track threat actor activity worldwide and will provide additional updates accordingly.
Vulnerabilities
Hundreds of Thousands of Fortinet Devices Still Vulnerable to “XORtigate” Exploitation
A critical FortiGate firewall remote code execution (RCE) vulnerability that was patched in June 2023 is again vulnerable to exploitation after researchers developed a new proof-of-concept (PoC) exploiting the same vulnerability. The flaw, tracked as CVE-2023-27997 (CVSS 9.8/10), has been coined XORtigate, and is a pre-authentication heap-based buffer overflow vulnerability in FortiOS and FortiProxy SSL-VPN appliances. According to Shodan scans, researchers state that there are more than 335,000 unpatched instances exposed on the public internet, nearly 70% of all the known devices. The researchers from Bishop Fox state that the PoC exploit “smashes the heap, connects back to an attacker-controlled server, downloads a BusyBox binary, and opens an interactive shell,” in approximately one (1) second. Although exploitation is avoidable through patching, this matter indicates a much more significant problem in infrastructure defense as a whole. According to the researchers, many of the scanned vulnerable devices are running software versions that are as many as eight (8) years old. Hesitancy to patch infrastructure is the leading cause of exploitation, and CTIX analysts recommend all users and administrators follow the guidance in the Fortinet advisory linked below to prevent exploitation.
- Bleeping Computer: CVE-2023-27997 Article
- Bishop Fox: CVE-2023-27997 Report
- Fortiguard: CVE-2023-27997 Advisory
Honorable Mention
Japan’s Largest Port Impacted by Ransomware Attack
On July 4th, 2023, Japan’s largest and busiest trading port, the port of Nagoya, was hit with a ransomware attack. The attacker is suspected to be a Russian-based adversary, with the Nagoya Harbor Transportation Association attributing the attack to the LockBit ransomware group. On July 5th, the port’s administrative authority raised awareness of a malfunction that had propagated in the Nagoya Port Unified Terminal System (NUTS), the central system controlling all five (5) cargo container terminals in the port. The port authority is currently working to repair the NUTS system, but until then, all loading and unloading of containers using trailers has been halted. Significant financial losses have been and will continue to be incurred until the NUTS system is repaired, along with severe disruptions to the circulation of goods to and from Japan. The port of Nagoya makes up around 10% of Japan’s total trade volume. It operates twenty-one (21) piers and 290 berths, handling over two million containers a year with an estimated cargo tonnage of around 165 million. Toyota Motor Corporation, one of the world’s largest automaker manufacturers, also uses the port to export most of its cars. The port of Nagoya has seen ransomware attacks before but none to the severity of this one.
The semi-weekly Ankura Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence pertaining to current or emerging cyber events. The preceding is a collection of cyber threat intelligence leads assembled over the past few days and typically includes high level intelligence pertaining to recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to reach out to the Flash Team (flash@ankura.com) if additional context is needed.
© Copyright 2023. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.
