Julius “Zeekill” Kivimäki, a 25-year-old Finnish man charged with extorting a local online psychotherapy practice and leaking therapy notes for more than 22,000 patients online, was arrested this week in France. A notorious hacker convicted of perpetrating tens of thousands of cybercrimes, Kivimäki had been in hiding since October 2022, when he failed to show up in court and Finland issued an international warrant for his arrest.

In late October 2022, Kivimäki was charged (and “arrested in absentia,” according to the Finns) with attempting to extort money from the Vastaamo Psychotherapy Center. In that breach, which occurred in October 2020, a hacker using the handle “Ransom Man” threatened to publish patient psychotherapy notes if Vastaamo did not pay a six-figure ransom demand.

Vastaamo refused, so Ransom Man shifted to extorting individual patients — sending them targeted emails threatening to publish their therapy notes unless paid a 500-euro ransom.

When Ransom Man found little success extorting patients directly, they uploaded to the dark web a large compressed file containing all of the stolen Vastaamo patient records.

But as documented by KrebsOnSecurity in November 2022, security experts soon discovered Ransom Man had mistakenly included an entire copy of their home folder, where investigators found many clues pointing to Kivimäki’s involvement. From that story:

“Among those who grabbed a copy of the database was Antti Kurittu, a team lead at Nixu Corporation and a former criminal investigator. In 2013, Kurittu worked on an investigation involving Kivimäki’s use of the Zbot botnet, among other activities Kivimäki engaged in as a member of the hacker group Hack the Planet (HTP).”

“It was a huge opsec [operational security] fail, because they had a lot of stuff in there — including the user’s private SSH folder, and a lot of known hosts that we could take a very good look at,” Kurittu told KrebsOnSecurity, declining to discuss specifics of the evidence investigators seized. “There were also other projects and databases.”

According to the French news site actu.fr, Kivimäki was arrested around 7 a.m. on Feb. 3, after authorities in Courbevoie responded to a domestic violence report. Kivimäki had been out earlier with a woman at a local nightclub, and later the two returned to her home but reportedly got into a heated argument.

Police responding to the scene were admitted by another woman — possibly a roommate — and found the man inside still sleeping off a long night. When they roused him and asked for identification, the 6′ 3″ blonde, green-eyed man presented an ID that stated he was of Romanian nationality.

The French police were doubtful. After consulting records on most-wanted criminals, they quickly identified the man as Kivimäki and took him into custody.

Kivimäki initially gained notoriety as a self-professed member of the Lizard Squad, a mainly low-skilled hacker group that specialized in DDoS attacks. But American and Finnish investigators say Kivimäki’s involvement in cybercrime dates back to at least 2008, when he was introduced to a founding member of what would soon become HTP.

Finnish police said Kivimäki also used the nicknames “Ryan”, “RyanC” and “Ryan Cleary” (Ryan Cleary was actually a member of a rival hacker group — LulzSec — who was sentenced to prison for hacking).

Kivimaki and other HTP members were involved in mass-compromising web servers using known vulnerabilities, and by 2012 Kivimäki’s alias Ryan Cleary was selling access to those servers in the form of a DDoS-for-hire service. Kivimäki was 15 years old at the time.

In 2013, investigators going through devices seized from Kivimäki found computer code that had been used to crack more than 60,000 web servers using a previously unknown vulnerability in Adobe’s ColdFusion software.

KrebsOnSecurity detailed the work of HTP in September 2013, after the group compromised servers inside data brokers LexisNexis, Kroll, and Dun & Bradstreet.

The group used the same ColdFusion flaws to break into the National White Collar Crime Center (NWC3), a non-profit that provides research and investigative support to the U.S. Federal Bureau of Investigation (FBI).

As KrebsOnSecurity reported at the time, this small ColdFusion botnet of data broker servers was being controlled by the same cybercriminals who’d assumed control over ssndob[.]ms, which operated one of the underground’s most reliable services for obtaining Social Security Number, dates of birth and credit file information on U.S. residents.

Multiple law enforcement sources told KrebsOnSecurity that Kivimäki was responsible for making an August 2014 bomb threat against former Sony Online Entertainment President John Smedley that grounded an American Airlines plane. That incident was widely reported to have started with a tweet from the Lizard Squad, but Smedley and others said it started with a call from Kivimäki.

Kivimäki also was involved in calling in multiple fake bomb threats and “swatting” incidents — reporting fake hostage situations at an address to prompt a heavily armed police response to that location.

Kivimäki’s apparent indifference to hiding his tracks drew the interest of Finnish and American cybercrime investigators, and soon Finnish prosecutors charged him with an array of cybercrime violations. At trial, prosecutors presented evidence showing he’d used stolen credit cards to buy luxury goods and shop vouchers, and participated in a money laundering scheme that he used to fund a trip to Mexico.

Kivimäki was ultimately convicted of orchestrating more than 50,000 cybercrimes. But largely because he was still a minor at the time (17) , he was given a 2-year suspended sentence and ordered to forfeit EUR 6,558.

As I wrote in 2015 following Kivimäki’s trial:

“The danger in such a decision is that it emboldens young malicious hackers by reinforcing the already popular notion that there are no consequences for cybercrimes committed by individuals under the age of 18.

Kivimäki is now crowing about the sentence; He’s changed the description on his Twitter profile to “Untouchable hacker god.” The Twitter account for the Lizard Squad tweeted the news of Kivimäki’s non-sentencing triumphantly: “All the people that said we would rot in prison don’t want to comprehend what we’ve been saying since the beginning, we have free passes.”

Something tells me Kivimäki won’t get off so easily this time, assuming he is successfully extradited back to Finland. A statement by the Finnish police says they are seeking Kivimäki’s extradition and that they expect the process to go smoothly.

Kivimäki could not be reached for comment. But he has been discussing his case on Reddit using his legal first name — Aleksanteri (he stopped using his middle name Julius when he moved abroad several years ago). In a post dated Jan. 31, 2022, Kivimäki responded to another Finnish-speaking Reddit user who said they were a fugitive from justice.

“Same thing,” Kivimäki replied. “Shall we start some kind of club? A support organization for wanted persons?”

Microsoft attributes a recent cyber attack against the satirical French magazine Charlie Hebdo to an Iran-linked NEPTUNIUM APT group. 

Microsoft’s Digital Threat Analysis Center (DTAC) attributes a recent cyberattacks against the satirical French magazine Charlie Hebdo to an Iran-linked threat actor tracked as NEPTUNIUM (aka Emennet Pasargad, Holy Souls). The attack is a retaliation for the initiative of Charlie Hebdo of launching a cartoon contest to mock Iran’s ruling cleric.

In early January, the threat actor claimed to have hacked the database of the magazine and obtained the personal information of more than 200,000 customers. The group released a sample of the data as a proof of the hack, exposed data include the full names, telephone numbers, and home and email addresses of accounts that had subscribed to, or purchased merchandise from, Charlie Hebdo.

This data leak puts subscribers at risk of online or physical targeting by extremist organizations.

“One month before Holy Souls conducted its attack, the magazine announced it would be holding an international competition for cartoons “ridiculing” Iranian Supreme Leader Ali Khamenei.” reads the post published by Microsoft. “The issue featuring the winning cartoons was to be published in early January, timed to coincide with the eighth anniversary of an attack by two al-Qa’ida in the Arabian Peninsula (AQAP)-inspired assailants on the magazine’s offices.”

The Holy Souls group advertised the huge trove of data for sale for 20 BTC (equal to roughly $340,000 at the time). 

French paper of record Le Monde verified the authenticity of data for multiple victims of the leak.

“The insulting and discourteous action of the French publication […] against the religious and political-spiritual authority will not be […] left without a response.” Iranian Foreign Minister Hossein Amir-Abdollahian tweeted on January 4.

Charlie Hebdo did not comment on the Microsoft findings.

“While the attribution we’re making today is based on a larger set of intelligence available to Microsoft’s DTAC team, the pattern seen here is typical of Iranian state-sponsored operations. These patterns have also been identified by the FBI’s October 2022 Private Industry Notification (PIN) as being used by Iran-linked actors to run cyber-enabled influence operations.” concludes Microsoft. “The campaign targeting Charlie Hebdo made use of dozens of French-language sockpuppet accounts to amplify the campaign and distribute antagonistic messaging.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Iran)

The post Microsoft attributes Charlie Hebdo data leak to Iran-linked NEPTUNIUM APT appeared first on Security Affairs.

Simple script for the purpose of finding remote connections to Windows machine and ideally some public IPs. It checks for some EventIDs regarding remote logins and sessions.

You should pip install -r requirements.txt so the script can work and parse some of the .evtx files inside winevt folder.

The winevt/Logs folders and the script must have identical file path.

Execution Example

Result Example

A new round of the weekly SecurityAffairs newsletter arrived! Every week the best security articles from Security Affairs free for you in your email box.

If you want to also receive for free the newsletter with the international press subscribe here.

CISA adds Oracle, SugarCRM bugs to its Known Exploited Vulnerabilities Catalog

GoAnywhere MFT zero-day flaw actively exploited

CERT-FR warns of a new wave of ransomware attacks targeting VMware ESXi servers

Tallahassee Memorial HealthCare, Florida, has taken IT systems offline after cyberattack

Exploitation attempts for Oracle E-Business Suite flaw observed after PoC release

VMware Workstation update fixes an arbitrary file deletion bug

Atlassian fixed critical authentication vulnerability in Jira Software

Russia-linked Gamaredon APT targets Ukrainian authorities with new malware

Cisco fixed command injection bug in IOx Application Hosting Environment

API management (APIM): What It Is and Where It’s Going A High-severity bug in F5 BIG-IP can lead to code execution and DoS

Experts warn of two flaws in popular open-source software ImageMagick

Over 30k Internet-Exposed QNAP NAS hosts impacted by CVE-2022-27596 flaw

Pro-Russia Killnet group hit Dutch and European hospitals

New Prilex PoS Malware evolves to target NFC-enabled credit cards

New LockBit Green ransomware variant borrows code from Conti ransomware

Nevada Ransomware Has Released Upgraded Locker

TrickGate, a packer used by malware to evade detection since 2016

IT Army of Ukraine gained access to a 1.5GB archive from Gazprom

Experts released VMware vRealize Log RCE exploit for CVE-2022-31706 GitHub to revoke stolen code signing certificates for GitHub Desktop and Atom

Pro-Palestine hackers threaten Israeli chemical companies

Pro-Russia group Killnet targets US healthcare with DDoS attacks

QNAP addresses a critical flaw impacting its NAS devices

JD Sports discloses a data breach impacting 10 million customers

Researcher received a $27,000 bounty for 2FA bypass bug in Facebook and Instagram

Sandworm APT group hit Ukrainian news agency with five data wipers

UNC2565 threat actors continue to improve the GOOTLOADER malware

Alleged member of ShinyHunters group extradited to the US, could face 116 years in jail

Pro-Russia group Killnet targets Germany due to its support to Ukraine Watch out! Experts plans to release VMware vRealize Log RCE exploit next week

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, newsletter)

The post Security Affairs newsletter Round 405 by Pierluigi Paganini appeared first on Security Affairs.

US CISA added actively exploited vulnerabilities in SugarCRM and Oracle products to its Known Exploited Vulnerabilities Catalog.

The Cybersecurity and Infrastructure Security Agency (CISA) added Oracle and SugarCRM flaws, respectively tracked as CVE-2022-21587 and CVE-2023-22952, to its Known Exploited Vulnerabilities Catalog.

The CVE-2022-21587 flaw (CVSS score 9.8) affects the Oracle E-Business Suite, which is a set of enterprise applications that allows organizations automate processes such as supply chain management (SCM), enterprise resource planning (ERP), and customer relationship management (CRM).

The vulnerability resides in the Web Applications Desktop Integrator of Oracle’s enterprise product and was addressed in October 2022.

An unauthenticated attacker can easily exploit the flaw via HTTP to take over Oracle Web Applications Desktop Integrator installs. The issue impacts versions 12.2.3-12.2.11.

Shadowserver researchers reported having observed first exploitation attempts on January 21, only five days after the cybersecurity firm Viettel Cyber Security released a PoC exploit code for this issue.

The CVE-2023-22952 flaw (CVSS score 8.8) is a Remote Code Execution vulnerability that affects multiple SugarCRM products.

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts recommend also private organizations review the Catalog and address the vulnerabilities in their infrastructure.

CISA orders federal agencies to fix these vulnerabilities by February 23, 2023.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Known Exploited Vulnerabilities Catalog)

The post CISA adds Oracle, SugarCRM bugs to its Known Exploited Vulnerabilities Catalog appeared first on Security Affairs.

Threat actors are actively exploiting a zero-day vulnerability affecting Fortra’s GoAnywhere MFT managed file transfer application.

Experts warn that threat actors are actively exploiting a zero-day vulnerability in Fortra’s GoAnywhere MFT managed file transfer application.

The popular investigator Brian Krebs first revealed details about the zero-day on Mastodon and pointed out that Fortra has yet to share a public advisory.

“GoAnywhere MFT, a popular file transfer application, is warning about a zero-day remote code injection exploit. The company said it has temporarily implemented a service outage in response.” Krebs wrote on Mastodon. “I had to create an account on the service to find this security advisory”

According to the private advisory published by Fortra, the zero-day is a remote code injection issue that impacts GoAnywhere MFT. The vulnerability can only be exploited by attackers with access to the administrative console of the application.

“A Zero-Day Remote Code Injection exploit was identified in GoAnywhere MFT. The attack vector of this exploit requires access to the administrative console of the application, which in most cases is accessible only from within a private company network, through VPN, or by allow-listed IP addresses (when running in cloud environments, such as Azure or AWS).” reads the advisory. “If the administrative console is exposed to the public internet, it is highly recommended partnering with our customer support team to put in place appropriate access controls to limit trusted sources. The Web Client interface, which is normally accessible from the public internet, is not susceptible to this exploit, only the administrative interface.”

Installs with administrative consoles and management interfaces that are not exposed on the internet are safe, however, security researcher Kevin Beaumont discovered about 1000 Internet-facing consoles.

Fortra recommends GoAnywhere MFT customers to review all administrative users and monitor for unrecognized usernames, especially those created by system.

“The logical deduction is that Fortra is likely seeing follow-on attacker behavior that includes the creation of new administrative or other users to take over or maintain persistence on vulnerable target systems.” reads a post published by Rapid7. “Note that, while this is not mentioned explicitly in the pasted Fortra advisory text, it is also possible that threat actors may be able to obtain administrative access by targeting reused, weak, or default credentials.”

Fortra has yet to address the flaw, meantime the company recommends removing the “License Response Servlet” configuration from the web.xml file as a temporary solution.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, GoAnywhere MFT)

The post GoAnywhere MFT zero-day flaw actively exploited appeared first on Security Affairs.

A new wave of ransomware attacks is targeting VMware ESXi servers to deliver ransomware, CERT of France warns.

The French Computer Emergency Response Team (CERT-FR) warns that threat actors are targeting VMware ESXi servers to deploy ransomware.

CERT-FR reported that threat actors behind these ransomware attackers are actively exploiting the vulnerability CVE-2021-21974.

“OpenSLP as used in ESXi has a heap-overflow vulnerability.” reads the advisory published by VMware. “A malicious actor residing within the same network segment as ESXi who has access to port 427 may be able to trigger the heap-overflow issue in OpenSLP service resulting in remote code execution.”

The vulnerability is an OpenSLP heap-overflow flaw in VMware ESXi that can be exploited by attackers to execute arbitrary code remotely on vulnerable devices. The vulnerability affects the following systems:

• ESXi 7.x versions earlier than ESXi70U1c-17325551
• ESXi versions 6.7.x earlier than ESXi670-202102401-SG
• ESXi versions 6.5.x earlier than ESXi650-202102101-SG

The virtualization giant addressed the CVE-2021-21974 bug in February 2021.

“On February 3, 2023, CERT-FR became aware of attack campaigns targeting VMware ESXi hypervisors with the aim of deploying ransomware on them.” reads the alert published by CERT-FR. “In the current state of investigations , these attack campaigns seem to exploit the CVE-2021-21974 vulnerability, for which a patch has been available since February 23, 2021. This vulnerability affects the Service Location Protocol ( SLP ) service and allows a attacker to remotely exploit arbitrary code. The systems currently targeted would be ESXi hypervisors in version 6.x and prior to 6.7.”

CERT-FR urges applying all patches available for the ESXi hypervisor, it also recommends performing a system scan to detect any signs of compromise.

The CERT also recommends disabling the SLP service on ESXi hypervisors that have not been updated.

The ongoing ransomware attacks have been also reported by cloud service provider OVHcloud, which observed most of the attacks in Europe.

“A wave of attacks is currently targetting ESXi servers. No OVHcloud managed service are impacted by this attack however, since a lot of customers are using this operating system on their own servers, we provide this post as a reference in support to help them in their remediation.” reads the report published by OVH. “These attacks are detected globally and especially in Europe.”

According to experts, some of the attacks aimed at delivering the Nevada ransomware. Recently, researchers from cybersecurity firm Resecurity have identified a new version of Nevada Ransomware which recently emerged on the Dark Web right before the start of 2023.

Around February 1, 2023 – the group distributed an updated locker written in Rust for their affiliates supporting Windows, Linux and ESXi – this programming language has become a trend for ransomware developers these days (Blackcat, RansomExx2, Hive, Luna, Agenda).

However, BleepingComputer first reported that the attacks could be linked to a new ransomware family, tracked by ID Ransomware‘s Michael Gillespie as ESXiArgs.

The ransomware targets files with the .vmxf, .vmx, .vmdk, .vmsd, and .nvram extensions on compromised ESXi servers and creates a “.args” file for each encrypted document with metadata.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, VMware ESXi servers)

The post CERT-FR warns of a new wave of ransomware attacks targeting VMware ESXi servers appeared first on Security Affairs.

A new Android banking trojan has set its eyes on Brazilian financial institutions to commit fraud by leveraging the PIX payments platform. Italian cybersecurity company Cleafy, which discovered the malware between the end of 2022 and the beginning of 2023, is tracking it under the name PixPirate. "PixPirate belongs to the newest generation of Android banking trojan, as it can perform ATS (