Brief #23: iLeakage, CCleaner Breach, Ransom Group's Physical Threats

Mandos Brief, Week 43: iLeakage Safari exploit, StripedFly's 1M infections, Russian APT28 in France, MOVEit attack on CCleaner, and Octo Tempest's violent threats.

Brief #23: iLeakage, CCleaner Breach, Ransom Group's Physical Threats


iLeakage: The New Safari Exploit Enables Password Stealing

  • The Exploit: Researchers have discovered a new side-channel attack named iLeakage. It targets Apple's A and M-series CPUs. The exploit uses speculative execution to steal sensitive data from Safari browsers on iOS and macOS devices. It can recover Gmail content, passwords, and more.
  • Technical Requirements: The attack is not easy to pull off. It needs deep knowledge of Apple hardware and side-channel vulnerabilities. It also requires malicious JavaScript to be run on the victim's browser. The exploit takes about five minutes to profile a machine and another 30 seconds to extract data.
  • Impact on Browsers: All browsers on iOS are affected, not just Safari. This is because Apple's policies force all iOS browsers to use Safari's WebKit engine. Chrome, Firefox, and Edge on iOS are essentially wrappers around Safari.
  • Apple's Response: Apple is aware of the issue and plans to address it in an upcoming software update. However, the current mitigation is unstable and only available for Macs, not mobile devices.

StripedFly Malware Infects 1 Million Devices, Echoes NSA-Linked Tools

  • Sophisticated Disguise: StripedFly malware has been active for over five years, infecting more than 1 million Windows and Linux systems. Initially thought to be a simple Monero miner, it's far more complex. It uses advanced techniques like Tor-based traffic hiding and custom EternalBlue exploits.
  • Multi-Platform Infection: The malware is not picky about its targets. It infects both Windows and Linux systems. It uses trusted platforms like GitHub, GitLab, and Bitbucket for updates and has worm-like spreading capabilities. It can disable SMBv1 protocol and spread using SSH and EternalBlue.
  • Data Harvesting and Control: StripedFly can do a lot once it's in the system. It can take screenshots, record audio, and harvest sensitive data like login credentials. It communicates with its Command and Control server over the Tor network, making it hard to trace.
  • Deception and Future Concerns: The malware's crypto-mining function is a distraction. Its real aim is data theft and system control. It has links to ransomware like ThunderCrypt and is suspected to have origins in NSA-developed exploits. Its evasion techniques make it a significant future threat.

Russian APT28 Targets French Critical Networks

  • Sophisticated Infiltration: APT28, also known as Fancy Bear, targeted multiple French organizations, including government entities and universities. The group used a variety of techniques to avoid detection, such as compromising low-risk equipment at the edge of target networks. They exploited zero-day vulnerabilities and even compromised routers and personal email accounts for their operations.
  • Tactics and Tools: The group employed at least three distinct attack techniques. They searched for zero-day vulnerabilities, compromised routers and personal email accounts, and utilized open-source tools. ANSSI confirmed the use of Mimikatz for collecting sensitive information and ReGeorg for tunnel creation.
  • Stealthy Communication: The attackers used legitimate services like OneDrive and Google Drive to host their implants, making it difficult for traditional security measures to detect their activities. They also used public services like and for reconnaissance, further blending in with normal network traffic.
  • ANSSI's Recommendations: The French National Agency for the Security of Information Systems (ANSSI) has issued a series of recommendations to defend against these types of attacks. These include increasing the level of cybersecurity on networks and implementing additional defense measures.

CCleaner Users Hit by MOVEit Attack, Personal Data Stolen

  • MoveIt Vulnerability Exploited: Cyber criminals targeted CCleaner using a flaw in the MoveIt file transfer tool. They stole names, contact info, and product details. The attack affected less than 2% of users but given CCleaner's large user base, the impact is significant.
  • Delayed Disclosure: CCleaner took several months to inform its users about the breach. This delay raises questions about the company's transparency and incident response strategy, potentially eroding trust among its user base.
  • Community Confusion: Users on CCleaner's community forum were initially unsure if the warning emails were genuine. Even moderators were not informed, leading to misinformation and increased risk for users who might have ignored genuine alerts.
  • Data Protection Advice: Users are advised to check their email and passwords on "Have I Been Pwned" for any breaches. The company is also offering dark web monitoring services to affected individuals, although this is seen as a reactive measure rather than a proactive solution.

Octo Tempest Group Threatens Physical Violence as Social Engineering Tactic

  • Sophisticated Attack Vectors: Octo-Tempest, also known as 0ktapus, has been active since early 2022. Initially targeting telecom and outsourcing companies, the group has evolved to focus on financial sectors. They use advanced social engineering, SIM swapping, and even direct physical threats to gain initial access.
  • Alliance with AlphvBlackCat: The group has partnered with the Russian-speaking AlphvBlackCat ransomware group, marking a significant fusion of resources and tactics. This alliance allows Octo-Tempest to operate on a broader spectrum, both geographically and in terms of potential targets.
  • Technical Prowess and Tools: The group employs a range of tactics, techniques, and procedures (TTPs) to navigate complex hybrid environments. They use tools like PingCastle and ADRecon for active directory reconnaissance and focus on VMware ESXi servers for ransomware deployment.
  • Defensive Measures: To defend against Octo-Tempest, organizations should adhere to the principle of least privilege, store cryptocurrencies in offline cold wallets, and employ advanced network monitoring. An established incident response strategy is crucial for immediate actions.