Ankura CTIX FLASH Update - November 29, 2022
Threat Actors Exploiting Trending TikTok Challenge to Deploy Malware
Threat Actor Activity
Black Basta Unveils New Campaign Targeting United States Companies with Qakbot Malware
Black Basta threat actors have recently launched a new malicious social engineering campaign targeting United States corporations. Known for their double extortion tactics, Black Basta has been one of the larger threat groups emerging in 2022. Recently, the group was linked to the FIN7 cybercriminal organization after indicators from a previous attack overlapped with known FIN7 infrastructure. In the recent campaign, Black Basta threat actors are utilizing the Qakbot malware as the point-of-compromise in their attacks, capable of moving laterally throughout the victims’ network. Qakbot is a banking trojan used to primarily steal financial data, including but not limited to credential pairs, keystrokes, and browser information. Several scenarios from this campaign have highlighted fast moving attacks, typically gaining access within two (2) to three (3) hours and deploying ransomware payloads in twelve (12) hours and locking out victims from their own network by disabling DNS protocols. After the attack, Black Basta actors will demand a significant ransom from the victim, using the stolen data as leverage in negotiations. Thus far, Black Basta has hit at least ten (10) corporations in this campaign and is likely to continue to in the coming weeks. CTIX continues to monitor threat actor activity worldwide and will provide additional updates accordingly.
Google Patches Critical Zero-Day Vulnerability on Thanksgiving Day
On Thanksgiving Day 2022, Google released an emergency Chrome browser update to patch an actively exploited critical zero-day vulnerability. The flaw, tracked as CVE-2022-4135, is a Google Chrome GPU heap buffer overflow vulnerability. When exploited, this vulnerability could allow a remote attacker to compromise the renderer process by performing a sandbox escape via a maliciously crafted HTML page. If successfully exploited, the threat actor could bypass security mechanisms, execute arbitrary code, and create denial-of-service (DoS) conditions in the Chrome browser, leading to system crashes. The flaw was first reported to Google by Clement Lecigne, a member of their own Threat Analysis Group, who observed the active exploitation of the flaw, leading to a patch release two (2) days later. At this time, there are not many details about the specifics of the exploitation, as Google is withholding the information to allow as many Chrome users as possible to update their browsers. Once the details of the exploit or a proof-of-concept (PoC) is released, unsophisticated threat actors will be scanning for vulnerable systems in an attempt to exploit as many targets as they can. CTIX analysts urge all Chrome users to verify that they are running version 107.0.5304.121 for Mac and Linux, and version 107.0.5304.121/.122 for Windows.