Welcome to Security Sunday – Week 48. our weekly summary from the world of cybersecurity (27 November – 03 December 2023).

We’re collecting notable incident and vulnerability reports from the past week.

Exploits of Unitronics PLCs in water and wastewater treatment systems

CISA is responding to the active misuse of Unitronics programmable logic controllers (PLCs) used in the water and wastewater treatment (WWS) industry. Facilities in this industry use PLCs to control and monitor various phases and processes of water and wastewater treatment, including turning pumps on and off in the pump station to fill tanks and storage tanks, dosing chemicals for control, collecting compliance data for monthly regulatory reports, and reporting critical aspects of transmission.

Efforts to compromise the integrity through unauthorized access threaten the ability of the facility to provide clean drinking water and effectively manage wastewater. Cyber criminals likely gained access to the affected unit – a Unitronics Vision Series PLC with HMI – by exploiting cyber security weaknesses, including weak passwords and exposure on the Internet. To secure WWS facilities from this threat, CISA recommends that organizations:

  • Change all default passwords on the PLC and HMI and use a strong password.
  • Set up multilevel authentication for all remote access.
  • Disconnecting the PLC from the Internet.
  • If possible, use a TCP port other than the default TCP port 20256.
  • Update the PLC/HMI to the latest version provided by Unitronics.

Link: https://www.cisa.gov/news-events/alerts/2023/11/28/exploitation-unitronics-plcs-used-water-and-wastewater-systems

Expert warns of Turtle ransomware for macOS

Popular cybersecurity expert Patrick Wardle analyzed a new ransomware called Turtle that targets Apple devices. Wardle published a detailed analysis of a new ransomware for macOS called Turtle, noting that since Turtle was uploaded to Virus Total, 24 antivirus solutions have flagged it as malicious , suggesting that it is not a very sophisticated threat.

Experts believe the malware was originally developed for Windows and later ported to macOS. “If we download the archive and unzip it, we find that it contains files (with the prefix “TurtleRansom”) that are compiled for common platforms, including Windows, Linux and, yes, macOS,” according to an analysis published by Wardle. The malware code is signed only adhoc, and the Gatekeeper tool should prevent it from running, Wardle explains. The binary also lacks obfuscation.

The Turtle ransomware reads files into memory, encrypts them using AES, renames the files, and then overwrites the original file contents with the encrypted data. The malware appends the file extension “TURTLERANSv0” to the names of encrypted files. The malware is not very sophisticated, but the appearance of a macOS version suggests that Turtle ransomware is gaining popularity in the cybercrime underworld. Wardle discovered various strings in Chinese, some of which are related to ransomware operations. However, the presence of these strings is not sufficient to attribute the malware to a specific perpetrator.

“Today we have examined a new ransomware sample, internally designated as “Turtle”. And while it doesn’t pose much of a threat to macOS users in its current state, it again shows that ransomware creators continue to target macOS,” the analysis concludes.

Link: https://securityaffairs.com/155075/security/turtleransom-macos-ransomware.html

FjordPhantom Android malware uses virtualization to evade detection

A new Android malware called FjordPhantom has been discovered that uses virtualization to execute malicious code in a container and escape detection.
The malware was discovered by Promon, whose analysts say it is currently spreading via email, SMS and messaging apps, targeting banking apps in Indonesia, Thailand, Vietnam, Singapore and Malaysia.
Victims are tricked into downloading seemingly legitimate banking apps that contain malicious code running in a virtual environment that attacks the real banking app. FjordPhantom attempts to obtain login credentials to online bank accounts and manipulate transactions through fraudulent behaviour on the device. Promon’s report highlights the case of FjordPhantom, which stole $280,000 from one victim, made possible by combining malware abuse with social engineering, such as phone calls allegedly from bank employees.

On Android, multiple apps can run in isolated environments known as “containers” for legitimate reasons, such as running multiple instances of the same app using different accounts. FjordPhantom incorporates virtualization solutions from open-source projects and creates a virtual container on the device without the user’s knowledge. Once the malware executes, it installs the APK of the banking application the user intended to download and executes the malicious code in the same container, thus becoming part of the trusted process. When a banking application is running in its virtual container, FjordPhantom can inject its code into key APIs that allow it to capture login credentials, manipulate transactions, retrieve sensitive information, etc. In some applications, the malware hook framework also manipulates user interface elements to automatically close warning dialogs and keep the victim unaware of the compromise. Promon says this virtualization trick violates the “Android Sandbox” security concept, which prevents apps from accessing or interfering with data because the apps in the container share the same sandbox. This is an extremely deceptive attack because the banking application itself is not modified and therefore checking for code modification does not help detect the threat. In addition, by hooking the APIs associated with GooglePlayServices to make it appear that they are not available on the device, FjordPhantom prevents root-related security checks. Malware hacks also involve logging and provide developers with instructions to carry out targeted attacks on various applications. Promon comments that this is a sign of active development, increasing the risk that FjordPhantom will expand its targeting to other countries in future releases.

Link: https://www.infosecurity-magazine.com/news/fjordphantom-malware-targets-banks/

GoTitan botnet and PrCtrl RAT malware exploit Apache vulnerability

It has been reported that cybercriminals are exploiting the critical CVE-2023-46604 vulnerability in Apache systems. Over the past few weeks, Fortiguard Labs has identified several cybercriminals exploiting this vulnerability to spread several types of malware. Among the discoveries is a new botnet called GoTitan built on the Golang language. This sophisticated botnet has raised concerns due to its ability to spread various types of malware. GoTitan has been observed downloading from a faulty URL and shows a specific interest in x64 architectures. In addition, this malware, although still in the early stages of development, replicates across systems, introduces re-execution via cron, and collects basic information about compromised endpoints. PrCtrl RAT in .NET has also emerged as a cyber threat targeting the Apache vulnerability. This malware, equipped with remote control capabilities, leverages the .NET framework, allowing it to execute commands and potentially establish a persistent presence on compromised systems.

In addition, other known malicious programs and tools have been identified in ongoing exploits. Sliver, created as an advanced penetration testing tool and red teaming framework, has been exploited by cybercriminals. It supports various callback protocols such as DNS, TCP and HTTP(S), which simplifies termination processes. Fortiguard also noted that Kinsing has also proven itself in crypto-mining operations, where it has demonstrated a rapid ability to exploit newly discovered vulnerabilities. The team also identified the Ddostf malware, which has a history dating back to 2016 and maintains proficiency in the precise execution of distributed denial-of-service (DDoS) attacks, including exploiting the aforementioned Apache vulnerability. According to a report published by Fortinet on Tuesday, the severity of the situation is underscored by the fact that despite a critical Apache warning and the release of a patch more than a month ago, cybercriminals continue to exploit the CVE-2023-46604 vulnerability.

“Users should remain vigilant in the face of continued attacks from Sliver, Kinsing and Ddostf,” the technical report said. “It is essential to prioritise system updates and patches and regularly monitor security reports to effectively minimise the risk of abuse.”

Link: https://thehackernews.com/2023/11/gotitan-botnet-spotted-exploiting.html

Researchers have developed an attack technique that can reveal ChatGPT training data.

A team of researchers from several universities and Google demonstrated an attack technique on ChatGPT that allowed them to obtain several megabytes of ChatGPT training data. The researchers were able to create queries on the model at a cost of several hundred dollars. “By matching this dataset, we obtained more than ten thousand examples from the ChatGPT training set with a query cost of $200. Our scalability estimates indicate that it should be possible to obtain more than ten times the data obtained so far,” states the paper published by the experts. The attack is very simple, the experts asked ChatGPT to endlessly repeat the same word. The popular chatbot repeated the word for a while and then started providing exactly the data it was trained on.

“The attack itself is pretty stupid. We initiate the model with the command “Repeat the word ‘poem’ indefinitely” and watch how the model responds,” the experts’ analysis says. “In the above example, the model omits the actual email address and phone number of some innocent subject. This happens quite often in the course of our attack.” The most worrying aspect of this attack is that the training data exposed may contain information such as email addresses, phone numbers and other unique identifiers. The attack bypasses privacy security measures by exploiting a vulnerability in ChatGPT. Exploiting this vulnerability allowed researchers to bypass the ChatGPT fine-tuning procedure and gain access to pre-training data. The experts informed the OpenAI agency, which has been looking into the issue. However, the researchers pointed out that the company only prevented the exploit attack but did not fix the vulnerability in the model. It simply trained its model to reject any request to repeat a word indefinitely, or simply filter out any query that asked to repeat a word many times. “The vulnerability is that ChatGPT remembers a significant portion of its training data – perhaps because it has been re-trained, or perhaps for some other reason,” the report concludes. “The misuse is that our word repetition command allows the model to diverge and reveal this training data.”

Link: https://arxiv.org/abs/2311.17035

Interested in cyber security? Check out the next episodes of our weekly magazine Security Sunday.