Issue 30: Transport for London Cybersecurity Incident, North Korean Hackers Exploit Chrome Zero-Day, and New Cicada Ransomware Targets ESXi Servers

Top Stories 06 September 2024:

1. Ongoing Cyber Security Incident at Transport for London
2. North Korean Hackers Exploit Chrome Zero-Day to Deploy Rootkit
3. New Cicada Ransomware Targets ESXI Servers

Ongoing Cyber Security Incident at Transport for London

Transport for London (TfL) is currently looking into a cyberattack, but don’t worry – the trains are still running. So far, there's no evidence that customer information has been compromised. TfL has reported the incident to the National Crime Agency and the National Cyber Security Centre and is working closely with them to contain the impact. Immediate actions have been taken to prevent further access to TfL’s systems.

In July, TfL confirmed that the Cl0p ransomware gang hacked one of its suppliers’ MOVEit managed file transfer (MFT) servers in May 2023, stealing contact details of approximately 13,000 customers. However, their banking details were not compromised. MOVEit is also used within TfL’s systems but was not affected in this incident.

TfL oversees London’s surface, underground, and Crossrail transportation systems, serving over 8.4 million residents. This story is still unfolding, so expect more updates to come.

TLDR;

• Transport for London (TfL) is investigating a cyberattack but says trains are still running, and no customer data appears to be compromised. The incident has been reported to authorities, and measures have been taken to secure systems.

North Korean Hackers Exploit Chrome Zero-Day to Deploy Rootkit

North Korean hackers exploited a recently patched Google Chrome zero-day (CVE-2024-7971, CVSS 8.8) to deploy the FudModule rootkit, gaining SYSTEM privileges via a Windows Kernel exploit (CVE-2024-38106, CVSS 7.8). Microsoft attributes these attacks to the North Korean group Citrine Sleet, targeting the cryptocurrency sector for financial gain.?

Citrine Sleet, also known as AppleJeus, Labyrinth Chollima, and UNC4736, has links to North Korea’s Reconnaissance General Bureau. They use malicious websites disguised as legitimate cryptocurrency platforms to infect victims with fake job applications or weaponised cryptocurrency wallets.?

In March 2023, UNC4736 trojanised the Electron-based desktop client of 3CX, following a supply-chain attack on Trading Technologies. Google’s TAG linked AppleJeus to the compromise of Trading Technologies’ website in March 2022. The U.S. government has warned about North Korean-backed hackers targeting cryptocurrency-related entities with AppleJeus malware for years.?

Google patched CVE-2024-7971, a type confusion weakness in Chrome’s V8 JavaScript engine, last week. This vulnerability allowed remote code execution in the sandboxed Chromium renderer process. The attackers then used a Windows sandbox escape exploit (CVE-2024-38106) to gain SYSTEM privileges and downloaded the FudModule rootkit for kernel tampering and direct kernel object manipulation (DKOM).?

Since October 2022, the FudModule rootkit has also been used by Diamond Sleet, another North Korean group. Microsoft released a security update for a zero-day vulnerability in the AFD.sys driver (CVE-2024-38193, CVSS 7.5) in August 2024, exploited by Diamond Sleet to establish full user-to-kernel access.?

TLDR;

• North Korean hackers exploited recent Google Chrome and Windows vulnerabilities to deploy the FudModule rootkit, gaining SYSTEM access and targeting the cryptocurrency sector. Both Google and Microsoft have patched the flaws.

New Cicada Ransomware Targets ESXI Servers

New ransomware-as-a-service (RaaS) operation, Cicada3301, is impersonating the legitimate Cicada 3301 organisation and has already listed 19 victims on its extortion portal. This operation began promoting itself on June 29, 2024, but attacks were noted as early as June 6.

How does it work? Cicada3301 uses double-extortion tactics, breaching networks, stealing data, and encrypting devices. The ransomware is written in Rust and uses the ChaCha20 algorithm for encryption. It targets VMware ESXi servers, using commands to shut down virtual machines and delete snapshots before encryption.

Significant overlaps with ALPHV/BlackCat ransomware suggest a possible rebrand or fork. Both use similar encryption methods, VM shutdown commands, and ransom note formats. Cicada3301 may also partner with the Brutus botnet for initial access.

Key vulnerabilities exploited include:

• CVE-2024-7971?(CVSS 8.8): A Chrome zero-day allowing remote code execution.
• CVE-2024-38106?(CVSS 7.8): A Windows Kernel flaw enabling SYSTEM privileges.
• CVE-2024-38193?(CVSS 7.5): A zero-day in the AFD.sys driver used for user-to-kernel access.

Cicada3301’s focus on ESXi environments aims to maximise damage and pressure victims into paying ransoms. The new cybercrime operation is using the name and logo of the 2012-2014 game Cicada 3301, but it has no real link to the original. The creators of the game have distanced themselves and criticised the criminals behind the ransomware.

TLDR;

• A new ransomware operation called Cicada3301, using the name and logo of the old Cicada 3301 game, is targeting VMware ESXi servers with double-extortion tactics. It encrypts data using Rust and ChaCha20, and may be related to ALPHV/BlackCat. Key vulnerabilities exploited include recent Chrome and Windows flaws.

By the way...

We're hosting a webinar this month where we'll share key findings from our attack surface analysis of 10 leading UK housing associations. Register your interest.

That's all folks!

Thank you for reading Critical Chatter, CloudGuard’s weekly roundup of security articles curated by Guardians. This week’s news flash has been curated by Atif Chaudry (SOC Analyst).

If you like what you've read, subscribe so you don't miss next week's roundup!