This Week in Cyber 19th July 2024

Analyst Insight: Emerging Threats and System Disruptions

Recent developments in the cybersecurity landscape have highlighted a series of critical threats and disruptions affecting a broad range of sectors. The discovery of a GitHub token leak has exposed vulnerabilities in Python's core repositories, potentially allowing attackers to inject malicious code into widely-used packages. Additionally, the emergence of HardBit Ransomware 4.0 with advanced obfuscation techniques underscores a growing trend of sophisticated ransomware strains that are increasingly difficult to detect and mitigate. The Konfety ad fraud operation, leveraging over 250 decoy apps, and the HotPage adware, which disguises itself as a security solution to install a malicious kernel driver, further illustrate the evolving tactics of cybercriminals in exploiting vulnerabilities and evading detection.

Concurrently, the IT landscape is grappling with widespread outages that have disrupted major companies and public services. While CrowdStrike is suspected as a possible cause, there is no conclusive evidence linking the company to these disruptions, and Microsoft is actively working on mitigation efforts. The impact has been extensive, affecting financial institutions, healthcare providers, and public services such as utility companies.

Widespread Outages Affecting Numerous Services and Companies

Numerous organisations are currently experiencing significant IT service disruptions, leading to unexpected system failures and downtime. Affected businesses have reported performance degradation and system crashes, prompting urgent investigations to determine the root cause and develop a resolution. The widespread outages have had a far-reaching impact, affecting various sectors and millions of end-users.

Key companies impacted include major  institutions such as Baltic Hub, healthcare providers including at least two German Hospitals, and even large-scale media corporations such as Sky. The ripple effect of these outages extends to millions of end-users who depend on these services for daily activities, from online banking to telehealth consultations.

Public services such as the NHS' GP service and emergency response systems have also been negatively affected, raising concerns about potential risks to public safety. Reports include numerous issues at a large variety of airports, with Delhi apparently resorting to using a whiteboard in order to make sure that information is available to customers and flight crews. The downtime has led to delays in critical services, causing frustration and inconvenience for the general public.

Current reports suggest that the error has resulted from a software update by infosec giant CrowdStrike. At around 10:50AM, CrowdStrike's CEO has confirmed that the outage was caused by a 'defect' in a 'content update' that has impacted Windows computers around the world. Mac and Linux users have not been impacted.

Microsoft is actively working on mitigation efforts to address the issue and restore normal operations for their clients. In an update at around 10:47AM in the UK, Microsoft released a statement placing the blame on an update to a 'third-party software platform'. The BBC's Cyber correspondent warns this may not be easily resolved.

Organisations are advised to stay updated with the latest information and guidance to minimise further disruptions

Github Token Leak Exposes Python's Core Repositories

A recently discovered GitHub token leak could have granted elevated access to the repositories of the Python language, PyPI, and the Python Software Foundation (PSF), posing a significant supply chain risk. JFrog found the token in a public Docker container on Docker Hub, within a compiled Python file that wasn’t properly cleaned up. If exploited, the token could have allowed attackers to inject malicious code into PyPI packages or alter the Python language itself. Following responsible disclosure on June 28, 2024, the token was revoked, and there is no evidence of misuse. This incident highlights the critical need for secure development practices to prevent such vulnerabilities.

In related developments, Checkmarx identified malicious packages on PyPI designed to exfiltrate sensitive data to a Telegram bot linked to cybercriminal operations in Iraq. These packages scan systems for specific file types and send the data to the bot, which is involved in financial theft and social media manipulation.

Hardbit Ransomware uses Passphrase Protection to Evade Detection

Researchers have identified HardBit ransomware version 4.0, which includes advanced obfuscation techniques like passphrase protection to hinder analysis. This version requires a passphrase during runtime to execute, making it harder for security analysts to dissect. HardBit, active since October 2022, uses double extortion tactics but stands out by not having a data leak site, instead threatening future attacks to pressure victims into paying. The group communicates via the Tox messaging service and likely gains initial access through brute-forcing RDP and SMB services.

Once inside a system, HardBit disables defences, terminates processes, and encrypts data, using a file infector virus called Neshta for delivery. It updates file icons, changes desktop wallpaper, and alters the system's volume label. The ransomware is available in both command-line and GUI versions, with the latter supporting a wiper mode for irreversible data destruction.

Konfety Ad Fraud: How 250+ Google Play Decoy Apps Conceal Malicious Intent

A sprawling ad fraud scheme dubbed Konfety has come to light, utilising over 250 innocuous apps on the Google Play Store as fronts for their malicious counterparts. Orchestrated by threat actors leveraging a mobile advertising SDK linked to the CaramelAds network, Konfety operates by deploying "evil twin" versions of legitimate "decoy twin" apps. These decoy apps, while benign and GDPR-compliant, are mirrored by malicious counterparts that engage in ad fraud, browser monitoring, and APK sideloading.

Notably, the evil twins mimic their decoy counterparts down to the app IDs and advertising IDs, complicating efforts to distinguish legitimate from fraudulent traffic. At its peak, the operation generated a staggering 10 billion requests daily, underscoring its scale and sophistication in circumventing detection.The malvertising campaign behind Konfety directs users to malicious URLs where they unwittingly download the evil twin apps, initiating a chain that installs secondary payloads for command-and-control communication. These apps further engage in intrusive behaviours like displaying out-of-context ads and monitoring user searches via covert search toolbar widgets.

Hotpage Adware Disguised as Ad Blocker Installs Malicious Kernel Driver

Researchers have uncovered an adware module named HotPage that masquerades as an ad blocker while secretly deploying a kernel driver to execute arbitrary code with elevated permissions on Windows systems. Discovered by ESET in late 2023, HotPage's installer ("HotPage.exe") installs a driver that injects code into remote processes and modifies browser network traffic. This malware can alter web page content, redirect users, and open new tabs to display ads, particularly game-related ones. Additionally, it collects and exfiltrates system information to a remote server.

The malicious driver, lacking proper access control lists, allows even non-privileged users to gain elevated privileges, posing a significant security risk. Although the distribution method of the installer remains unclear, it is marketed as a security solution for internet cafés to block ads. Notably, the driver is signed by Microsoft, suggesting that the developers met Microsoft's driver code signing requirements.