Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Ransomware Campaign. Show all posts
Vulnerabilities and Exploits
CISA Linux Kernel Ransomware Campaign Vulnerabilities and Exploits

CISA Warns: Linux Kernel Flaw Actively Exploited in Ransomware Attacks

 

A critical Linux kernel vulnerability (CVE-2024-1086) is now actively exploited in ransomware attacks, according to a recent update from the U.S. Cybersecurity and Infrastructure Security Agency (CISA). First publicly disclosed on January 31, 2024, this flaw stems from a decade-old code commit to the netfilter: nf_tables kernel component and was patched early in 2024. 

However, the exploit—which allows attackers with local access to escalate privileges and gain root control over affected systems—remains a severe threat for systems running kernel versions from 3.15 to 6.8-rc1, affecting prominent distributions like Debian, Ubuntu, Fedora, and Red Hat.

CISA’s latest advisory confirms the vulnerability is leveraged in live ransomware campaigns but doesn’t provide detailed incident counts or victim breakdowns. The agency added CVE-2024-1086 to its Known Exploited Vulnerabilities (KEV) catalog in May 2024, mandating federal agencies patch by June 20, 2024 or implement mitigations. These mitigations include blocklisting ‘nf_tables’ if not in use, restricting user namespace access to shrink the attack surface, and optionally deploying the Linux Kernel Runtime Guard (LKRG)—though the latter may introduce instability.

Security experts and community commentators highlight both the significance and scope of the risk. The flaw enables threat actors to achieve root-level system takeover—compromising defenses, altering files, moving laterally within networks, and exfiltrating sensitive data. 

Its effects are especially critical in server and enterprise contexts (where vulnerable kernel versions are widely deployed) rather than typical desktop Linux environments. For context, a security researcher known as 'Notselwyn' published a proof-of-concept exploit in March 2024 that clearly demonstrates effective privilege escalation on kernel versions 5.14 through 6.6, broadening attack feasibility for cybercriminals.

Immutability in Linux distributions (such as ChromeOS, Fedora Kinoite) is noted as a partial defense, limiting exploit persistence but not fully mitigating in-memory or user-data targeting attacks. CISA stresses following vendor-specific instructions for mitigation and, where remedies are unavailable, discontinuing product use for guaranteed safety. 

Community debate also reflects persistent frustration at slow patch adoption and challenges in keeping kernels up to date across varied deployment environments. The ongoing exploitation—as confirmed by CISA—underscores the critical need for timely patching, rigorous access controls, and awareness of Linux privilege escalation risks in the face of escalating ransomware threats.
Read more »
Ransomware Campaign
APT Group Cyber Attacks Open-Source Tool Ransomware Campaign

Threat Actors Modified Open-Source Tool to Target organizations

 

Cybersecurity researchers have unearthed an interesting ransomware campaign in which the malicious actors employed custom tools commonly used by APT (Advanced Persistent Threat) groups.

Earlier this week, Security Joes' researchers published a report highlighting attackers' modus operandi to target one of its clients in the gambling industry. During the attack, the ransomware operators used custom open-source tools. 

The operational strategies, methodology of targeting victims, and malware customization capabilities signify a potential link between APT and ransomware operators, explained the report from Security Joes. However, no concrete evidence has been uncovered till now. 

The attackers employed a modified version of the Ligolo, a reverse tunneling utility available for pentesters on GitHub, and a custom tool to dump credentials from LSASS. According to the Security Joes team, the ransomware campaign showcased excellent ransomware training and knowledge of threat actors. The stolen SSLVPN credentials of one of the employees helped attackers to penetrate the victim's systems, followed by admin scans and RDP brute-force, and then credential harvesting efforts.

At the final stage of the campaign, threat actors deployed proxy tunneling for a secure connection and installed the famous Cobalt Strike. Security Joes' team believes that the attackers would launch the ransomware as the next step since the methods followed match those of typical ransomware gang operations. However, it did not come to this, so it is impossible to say with certainty.

The attackers employed multiple off-the-shelve open-source tools typically used by numerous adversaries, like Mimikatz, SoftPerfect, and Cobalt Strike. One notable differentiation was the installation of ‘Sockbot’, a GoLang-written utility based on the Ligolo open-source reverse tunneling tool. The attackers modified Ligolo with meaningful additions that removed the need to use command-line parameters and included several execution checks to avoid running multiple processes.

Additionally, the malicious actors took into their arsenal a custom tool "lsassDumper", also written in GoLang. It was used to automatically steal data from the LSASS process. As experts noted, they observed lsassDumper in real attacks for the first time. 

"Comparing the new variant (Sockbot) to the original source code available online, the threat actors added several execution checks to avoid multiple instances running at the same time, defined the value of the Local Relay as a hard-coded string to avoid the need of passing command line parameters when executing the attack and set the persistence via a scheduled task," researchers concluded.
Read more »
Subscribe to: Comments (Atom)