Ransomware/Malware Activity

RisePro InfoStealer Spread via Cracked Software Advertised on GitHub

Cybersecurity researchers have discovered GitHub repositories with instructions to install cracked software that contains the RisePro infostealer payload. The malicious repositories used green Unicode circles in the "README.md" file to mimic GitHub's use of green or red circles to display the status of automatic builds to portray a sense of legitimacy. Each repository pointed to a download link at "digitalxnetwork[.]com" which contains a RAR archive prompting victims to input the password indicated in the GitHub README.md file to open it. The RAR file contains an installer that unpacks an executable which injects RisePro malware into either the AppLaunch.exe or RegAsm.exe process on the victim's machine. The RisePro infostealer is written in C++ and exfiltrates sensitive data from infected hosts to Telegram channels controlled by the attacker. It is noted that stealer malware has become increasingly popular and can be the primary vector for a ransomware attack. Other infostealers observed recently include RedLine, Vidar, and Raccoon. The vector of the RisePro compromise serves as a reminder for organizations to educate employees on the risks of downloading unapproved software and to limit software installation privileges to IT admins. CTIX analysts also recommend that organizations block the malicious site identified in this attack: "digitalxnetwork[.]com". CTIX analysts will continue to report on malware trends and novel malware delivery campaigns.

Threat Actor Activity

The United States' Ongoing Battle Against Chinese Cyber Espionage =

The United States is in the midst of mitigating the aftermath of a sophisticated espionage campaign orchestrated by the Chinese hacking group known as Volt Typhoon, which aimed its efforts at targeting American critical infrastructure. The campaign's discovery and investigation have spanned nearly a year with federal agencies, including the National Security Agency, still actively identifying affected systems and eradicating the group's presence within them. Volt Typhoon's method of operation is elusive with difficult to track activity where the hackers leverage legitimate user credentials to access systems and avoid the use of additional malware that could be more easily detected. The group's preferred technique involves scanning for and exploiting existing vulnerabilities in systems rather than deploying sophisticated AI-driven attacks. The threat posed by Volt Typhoon is so severe that U.S. cybersecurity officials have openly expressed concerns about the group's capabilities, especially in the event of a conflict with China. The underlying issue is that the technology securing the nation's critical infrastructure is full of insecurities due to a legacy of software developers not being held accountable for flaws in their products and have instead prioritized speed and new features over security. Despite the ongoing challenges in fully understanding the scope of Volt Typhoon's activities, the U.S. has taken concrete steps to counteract the threat. This includes the Justice Department's recent success in thwarting the group's attempt to compromise numerous American home routers to gain access to more significant infrastructure targets. Furthermore, the Biden administration has been proactive in alerting the digital security community about the tactics and techniques employed by Volt Typhoon, issuing multiple advisories to raise awareness. The ultimate goal of Volt Typhoon's actions appears to be to create widespread societal disruption, thereby weakening the United States' capacity to respond to potential international conflicts, particularly in the South Pacific region. Although the threat of China leveraging Volt Typhoon's capabilities for overt aggression against the US is unlikely, the potential for such an action poses a serious concern.

Vulnerabilities

Fortinet Patches Critical RCE Flaw in FortiClient EMS Solution

Fortinet has addressed a critical security vulnerability in its FortiClient Enterprise Management Server (EMS) software. The flaw, tracked as CVE-2023-48788, is an SQL injection bug in the DB2 Administration Server component. If successfully exploited, this vulnerability could allow attackers to conduct remote code execution (RCE) on affected servers. This vulnerability affects FortiClient EMS versions 7.0 and 7.2, potentially allowing unauthenticated threat actors to gain control over unpatched servers with SYSTEM privileges without user interaction. The vulnerability was identified by the UK's National Cyber Security Centre (NCSC) and a Fortinet developer. Fortinet released a security advisory but did not confirm if the vulnerability had been exploited in the wild. This incident is part of a broader pattern of vulnerabilities in Fortinet's products, including another critical out-of-bounds write flaw in FortiOS and FortiProxy, as well as high-severity flaws in FortiWLM and FortiClient EMS. These vulnerabilities pose significant risks, as they can be exploited in ransomware attacks and leveraged for cyber espionage campaigns. Fortinet's security issues have been exploited in the past, including by state-sponsored threat actors, underscoring the importance of prompt patching and system hardening to defend against potential exploits. CTIX analysts recommend that all administrators responsible for the affected software upgrade their infrastructure immediately to prevent a potential compromise.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.