Israel: Ankura CTIX FLASH Update - December 19, 2023

Ransomware/Malware Activity

QakBot Resurfaces in Phishing Campaign masquerading as IRS Employees

Qakbot, the botnet known for its phishing campaigns and injection into legitimate Windows processes to avoid detection, has reappeared in a new campaign targeting the hospitality industry. On December 15, 2023, Microsoft made a series of posts on X, formerly known as Twitter, describing their findings which involve a threat actor using PDFs to distribute the malware. This is despite Operation Duck Hunt, a multinational effort to bring down the Qakbot network and infrastructure, that was successfully executed earlier this year. Microsoft reported that threat actors are attempting to masquerade as IRS employees and distribute the Qakbot malware via malicious files through this new round of phishing. When the victim attempts to access the PDF, it will instead prompt them to download it for proper viewing which will actually download a ".msi" Windows installer file. Once executed, this file will install the Qakbot malware DLL onto the device. According to Microsoft, the DLL was generated on December 11th, which is the same day that the new phishing campaign began. Microsoft and other researchers have stated that there are some minor differences between the older versions of Qakbot and this latest attempt at its revival, indicating that someone is still working on this malware. One of the more notable changes is the use of AES to decrypt identified strings instead of XOR that was previously used. CTIX analysts will continue to monitor the situation with the new Qakbot campaign to identify any new developments and information.

• The Hacker News: QakBot Article
• Bleeping Computer: QakBot Article

Threat Actor Activity

Attacks on Iranian Gas Stations Carried Out by Israel-Linked Attackers

It's been confirmed by Iranian authorities that gas stations throughout the country have experienced operational disruptions due to a cyberattack. Authorities have said that the attack took out 70% of the nation's gas stations, leaving 1,650 out of approximately 33,000 stations operational and the remaining stations operating their pumps manually. After Iran blamed the attacks on Israel and the US, an Israel-linked hacking group called Predatory Sparrow claimed responsibility calling it a retaliation for the aggressions of Iran and its allies in the region after supposedly sending out warnings the month prior. The hackers have previously claimed responsibility for two (2) successful attacks on the Iranian state-owned steel company and fuel distribution system, and Israeli media has reported before that it's believed these hackers are connected to Israeli military intelligence. Predatory Sparrow released a statement that despite having the capability to completely disrupt the entirety of gas stations across Iran, they conducted this attack in a controlled manner to ensure a portion of gas stations were left unharmed while limiting potential damages to emergency services. An increase in cyberattacks between Israel and Iran targeting each other have been observed in recent months as tensions have grown in Israel's war against the Palestinian militant group Hamas, signaling the prevalence cyber-warfare may play in evolving and future global conflicts.

• Dark Reading: Predatory Sparrow Article
• The Record: Predatory Sparrow Article

Vulnerabilities

Critical Apache Struts 2 Vulnerability Under Active Exploitation

A critical vulnerability in Apache Struts 2 is under active exploitation by treat actors attempting to achieve remote code execution (RCE). Apache Struts is a very popular Model-View-Controller (MVC) Java Framework used by developers to build enterprise web applications. The flaw, tracked as CVE-2023-50164 (CVSS: 9.8/10), was discovered by a researcher named Steven Seeley, who posted on X (Twitter) that a working proof-of-concept (PoC) exploit has already been made public. The bug is a path traversal vulnerability impacting how Struts handles file upload parameters. If successfully exploited, an attacker could gain complete control of affected systems by uploading a maliciously crafted file to the target environment, achieving arbitrary code execution. Apache Struts is a very popular framework for web application developers, and therefore is also a high-value target for attackers. This is not the first time Struts has been targeted, and in 2017 the notorious "Struts-shock" vulnerability was exploited to compromise the Equifax credit agency, exposing the credit information of nearly 150 million people. Although CVE-2023-50164 is just as destructive as the Struts-shock vulnerability, it is much harder to exploit, requiring highly sophisticated threat actors to accomplish exploitation. There is no workaround, and CTIX analysts recommend that any administrators and developers implementing Apache Strut ensure that their software has been patched.

• Dark Reading: CVE-2023-50164 Article
• Apache: CVE-2023-50164 Advisory

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.