Normal view
LockBit gang claimed responsibility for the attack on City of Wichita
The LockBit ransomware group has added the City of Wichita to its Tor leak site and threatened to publish stolen data.
Last week, the City of Wichita, Kansas, was the victim of a ransomware attack and shut down its network to contain the threat.
Wichita is the most populous city in the U.S. state of Kansas and the county seat of Sedgwick County. As of the 2020 census, the population of the city was 397,532.
The security breach took place on May 5th, 2024, and the City immediately started its incident response procedure to prevent the threat from spreading.
The City is investigating and containing the incident with the help of third-party security experts and federal and local law enforcement authorities.
“We regret to report that certain online City services may be unavailable as we thoroughly review and assess an incident that affected some of our computer systems. As part of this assessment, we turned off our computer network.” reads the security breach notification. “This decision was not made lightly but was necessary to ensure that systems are securely vetted before returning to service.”
The City warned that some services may be temporarily unavailable while systems are offline.
The City hasn’t disclosed the family of ransomware that infected its systems and the name of the extortion gang behind the attack.
“We are working with specialists to thoroughly review and assess systems before putting them back online. Systems will be restored on a staggered basis to minimize disruptions. We do not have a definitive timeline for returning all systems to production.” the city noted.
“This [the name of the group that is claiming responsibility for the attack] is not being shared for operational security purposes.” states the report.
However, the LockBit ransomware gang claimed responsibility for the cyberattack on the City of Wichita.
The deadline for the ransom payment is May 15, 2024.
The City is still facing disruptions caused by the attack.
“The information technology department and its security partners continue to work around the clock to address the cyber security incident. Many City systems are down as security experts determine the source and extent of the incident. There is no timetable for when systems could be coming back online. We appreciate your patience as we work through this incident as quickly and as thoroughly as possible.” reads an update published by the City.
The extortion group claimed responsibility for the attack after law enforcement agencies unmasked and sanctioned the leader of the LockBit group, Dmitry Yuryevich Khoroshev, aka LockBitSupp.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, City of Wichita)
New TunnelVision technique can bypass the VPN encapsulation
TunnelVision is a new VPN bypass technique that enables threat actors to spy on users’ traffic bypassing the VPN encapsulation.
Leviathan Security researchers recently identified a novel attack technique, dubbed TunnelVision, to bypass VPN encapsulation. A threat actor can use this technique to force a target user’s traffic off their VPN tunnel using built-in features of DHCP (Dynamic Host Configuration Protocol).
The technique causes the VPN to fail to encrypt certain packets, leaving the traffic vulnerable to snooping. The researchers referred to this result as “decloaking.” The experts pointed out that the VPN control channel remains active during the attack and users still appear connected to the VPN in all observed instances.
The technique manipulates routing tables that used to send network traffic through the VPN tunnel.
TunnelVision exploits the vulnerability CVE-2024-3661, which is a DHCP design flaw where messages such as the classless static route (option 121) are not authenticated and for this reason can be manipulated by the attackers.
Option 121 enables administrators to incorporate static routes into a client’s routing table using classless ranges. There is no restriction, aside from packet size, on the number of different routes that can be simultaneously installed.
A threat actor that can send DHCP messages can tamper with routes to reroute VPN traffic, enabling him to intercept, disrupt, or potentially manipulate network traffic.
A local network attacker can exploit the technique to redirect traffic to the local network instead of the VPN tunnel.
The attackers can decloak VPN traffic only if the targeted host accepts a DHCP lease from the attacker-controlled server and the targeted host’s DHCP client implements DHCP option 121.
“We want to stress that there are ways an attacker who is on the same network as a targeted user might be able to become their DHCP server:
- A rogue DHCP server using a DHCP starvation attack against the true DHCP, then responding to new clients. We have achieved this in lab environments and are working on a follow-up blog post.
- A rogue DHCP server racing to respond to DHCPDISCOVER broadcasts to abuse DHCP clients’ common behavior where they implement first-offer lease selection.
- ARP spoofing to intercept traffic between the true DHCP server and client, then waiting for a client to renew their lease.” reads the report from Leviathan Security.
“Our technique is to run a DHCP server on the same network as a targeted VPN user and to also set our DHCP configuration to use itself as a gateway. When the traffic hits our gateway, we use traffic forwarding rules on the DHCP server to pass traffic through to a legitimate gateway while we snoop on it.”
The researchers explained that during the attack, the victim cannot notice any disconnection to the VPN, they also remarked that the flaw isn’t tied to a specific VPN provider or implementation.
The TunnelVision technique is effective against most IP routing-based VPN systems.
The researchers speculate that the vulnerability existed in DHCP since 2002, when option 121 was implemented. They believe the technique could have already been discovered and potentially used in the wild by threat actors.
To mitigate the issue VPN providers could implement network namespaces on supporting operating systems to isolate interfaces and routing tables from the local network’s control.
The experts provided other mitigations, including using Firewall Rules, Ignoring Option 121, using a Hot Spot or VM, and avoiding use untrusted networks.
Below is a video PoC of the attack published by the researchers:
“We have a limitation as a research team of two– there are simply too many VPNs on the market to test each one individually. The first approach we took was to notify companies via bug bounties or security disclosure email, but that quickly became unscalable. We’ve also engaged the EFF and CISA to help disclose as broadly as possible prior to publicly releasing this research. We thank them tremendously for their help.” concludes the report.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, TunnelVision)
A SaaS Security Challenge: Getting Permissions All in One Place
- The Hacker News
- New Spectre-Style 'Pathfinder' Attack Targets Intel CPU, Leak Encryption Keys and Data
New Spectre-Style 'Pathfinder' Attack Targets Intel CPU, Leak Encryption Keys and Data
LiteSpeed Cache WordPress plugin actively exploited in the wild
Threat actors are exploiting a high-severity vulnerability in the LiteSpeed Cache plugin for WordPress to take over web sites.
WPScan researchers reported that threat actors are exploiting a high-severity vulnerability in LiteSpeed Cache plugin for WordPress.
LiteSpeed Cache for WordPress (LSCWP) is an all-in-one site acceleration plugin, featuring an exclusive server-level cache and a collection of optimization features. The plugin has over 5 million active installations.
The vulnerability, tracked as CVE-2023-40000 CVSS score: 8.3, is an Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) issue in LiteSpeed Technologies LiteSpeed Cache that allows Stored XSS.
Attackers exploited the issue to create a rogue admin account, named wpsupp‑user and wp‑configuser, on vulnerable websites.
Upon creating admin accounts, threat actors can gain full control over the website.
Patchstack discovered the stored cross-site scripting (XSS) vulnerability in February 2024.
An unauthenticated user can trigger the issue to elevate privileges by using specially crafted HTTP requests.
WPScan reported that threat actors may inject a malicious script into vulnerable versions of the LiteSpeed plugin. The researchers observed a surge in access to a malicious URL on April 2nd and on April 27.
“The most common IP addresses that were probably scanning for vulnerable sites were 94.102.51.144, with 1,232,810 requests, and 31.43.191.220 with 70,472 requests.” reads WPScan. “The most common IP addresses that were probably scanning for vulnerable sites were 94.102.51.144, with 1,232,810 requests, and 31.43.191.220 with 70,472 requests.”
The vulnerability was fixed in October 2023 with the release of version 5.7.0.1.
Researchers provided indicators of compromise for these attacks, including malicious URLs involved in the campaign: https[:]//dns[.]startservicefounds.com/service/f[.]php, https[:]//api[.]startservicefounds[.]com, and https[:]//cache[.]cloudswiftcdn[.]com. The researchers also recommends to Watch out for IPs associated with the malware, such as 45.150.67.235.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, UK Ministry of Defense)
The Fundamentals of Cloud Security Stress Testing
Hijack Loader Malware Employs Process Hollowing, UAC Bypass in Latest Version
Most Tinyproxy Instances are potentially vulnerable to flaw CVE-2023-49606
A critical Remote Code Execution vulnerability in the Tinyproxy service potentially impacted 50,000 Internet-Exposing hosts.
Researchers from Cisco Talos reported a use-after-free vulnerability in the HTTP Connection Headers parsing of Tinyproxy 1.11.1 and Tinyproxy 1.10.0. The issue is tracked as CVE-2023-49606 and received a CVSS score of 9.8. The exploitation of the issue can potentially lead to remote code execution.
“A specially crafted HTTP header can trigger reuse of previously freed memory, which leads to memory corruption and could lead to remote code execution. An attacker needs to make an unauthenticated HTTP request to trigger this vulnerability.” reads the advisory.
Tinyproxy is an open-source HTTP proxy daemon designed for simplicity and efficiency.
The vulnerability impacts over 90,000 hosts that expose a Tinyproxy service on the internet. Talos researchers published a proof-of-concept exploit code for this vulnerability.
“As of May 3, 2024, Censys observed over 90,000 hosts exposing a Tinyproxy service, ~57% of which are potentially vulnerable to this exploit.” reads the report.
Most of the exposed hosts are in the United States, followed by South Korea and China.
Country | Host Count | Percentage |
United States | 32846 | 36.37% |
South Korea | 18358 | 20.33% |
China | 7808 | 8.65% |
France | 5208 | 5.77% |
Germany | 3680 | 4.07% |
Maintainers of the project temporarily addressed the issue with the release of version 1.11.1. tinyproxy 1.11.2 release will definitively fix the issue.
- “the issue is fixed in master with commit 12a8484
the code may appear naive, but it allows to circumvent the allocation of more memory which could fail again. the straight-forward fix would be to strdup the value retrieved from the key/value store, and then work on that and free it later.
- the code is only triggered after access list checks and authentication have succeeded.
so if you use basic auth with a reasonably secure password or allow only specific trusted hosts you won’t have to worry. same if your proxy is only available on a trusted private network, like inside a corporate environment (you gotta trust your employees anyway).
so it seems most tinyproxy users won’t have to worry – because who runs an entirely open proxy on the open internet these days ?”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, RCE)
- Security Affairs
- UK Ministry of Defense disclosed a third-party data breach exposing military personnel data
UK Ministry of Defense disclosed a third-party data breach exposing military personnel data
The UK Ministry of Defense disclosed a data breach at a third-party payroll system that exposed data of armed forces personnel and veterans.
The UK Ministry of Defense disclosed a data breach impacting a third-party payroll system that exposed data of approximately 272,000 armed forces personnel and veterans.
The Ministry of Defence revealed that a malign actor gained access to part of the Armed Forces payment network, which is an external system completely separate to MOD’s core network.
Defence Secretary Grant Shapps told House of Commons that the impacted system is not connected to the main military HR system.
The UK Ministry of Defense is reviewing the operations of the impacted contractor and announced that appropriate measures will be taken.
The compromised information includes the personal data of regular and reserve personnel and some recently retired veterans. The malicious actor gained access to names and bank details, and, in a smaller number of cases, addresses of the impacted personnel.
The UK government did not publicly attribute the attack, however, the BBC reported that UK ministers suspected China was responsible
“Grant Shapps told MPs the government had reason to believe the hack “was the suspected work of a malign actor” – and the BBC understands that ministers suspect China was responsible.” states the BBC.
Mr. Shapps publicly criticized the contractor, stating there was “evidence of failings” in the management of the breached system.
“For reasons of national security, we can’t release further details of the suspected cyber activity behind this incident,” Mr. Shapps added.
China denied any involvement in the attack and labeled the accusation as a “fabricated and malicious slander”.
“We urge the relevant parties in the UK to stop spreading false information, stop fabricating so-called China threat narratives, and stop their anti-China political farce,” a spokesman for the Chinese embassy in the UK said.
Labour’s shadow defence secretary John Healey speculated that the external contractor operating the breached system was Shared Services Connected Ltd (SSCL).
SSCL is a joint venture between the British government and a private tech firm, it provides services to the Home Office, Cabinet Office and Ministry of Justice.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, UK Ministry of Defense)
Hackers Exploiting LiteSpeed Cache Bug to Gain Full Control of WordPress Sites
Law enforcement agencies identified LockBit ransomware admin and sanctioned him
The FBI, UK National Crime Agency, and Europol revealed the identity of the admin of the LockBit operation and sanctioned him.
The FBI, UK National Crime Agency, and Europol have unmasked the identity of the admin of the LockBit ransomware operation, aka ‘LockBitSupp’ and ‘putinkrab’ , and issued sanctions against him. It was the first time that the admin of the notorious group was identified by law enforcement.
The man is a Russian national named Dmitry Yuryevich Khoroshev (31) of Voronezh, Russia.
“The sanctions against Russian national Dmitry Khoroshev (pictured), the administrator and developer of the LockBit ransomware group, are being announced today by the FCDO alongside the US Department of the Treasury’s Office of Foreign Assets Control (OFAC) and the Australian Department of Foreign Affairs.” reads the press release published by NCA.
The NCA states that Khoroshev will now be subject to a series of asset freezes and travel bans.
“Khoroshev, AKA LockBitSupp, who thrived on anonymity and offered a $10 million reward to anyone who could reveal his identity, will now be subject to a series of asset freezes and travel bans.” continues the NCA.
According to the UK agency, data retrieved from the systems belonging to the ransomware gang revealed that from June 2022 to February 2024, the criminals gave orchestrated over 7,000 attacks. The most targeted countries included the US, UK, France, Germany, and China.
LockBit operation targeted over 100 hospitals and healthcare companies, resulting in at least 2,110 victims. The NCA states that despite the group attempted to rebuild its operation, the international law enforcement operation carried out in February severely impacted the gang’s activities.
LockBit created a new leak site to inflate their apparent activity. Since the NCA’s intervention in February, LockBit attacks in the UK have decreased by 73%, with similar reductions reported in other countries. The investigation also provided insight into the group’s operations and network.
The NCA added that of the 194 affiliates identified as using LockBit’s services up until February 2024:
- 148 built attacks.
- 119 engaged in negotiations with victims, meaning they definitely deployed attacks.
- Of the 119 who began negotiations, there are 39 who appear not to have ever received a ransom payment.
- 75 did not engage in any negotiation, so also appear not to have received any ransom payments.
The US government also charged in the past other five LockBit members, Artur Sungatov, Ivan Kondratyev (Bassterlord), Ruslan Magomedovich Astamirov, Mikhail Matveev (Wazawaka), and Mikhail Vasiliev.
“These sanctions are hugely significant and show that there is no hiding place for cyber criminals like Dmitry Khoroshev, who wreak havoc across the globe. He was certain he could remain anonymous, but he was wrong.” NCA Director General Graeme Biggar said.
“We know our work to disrupt LockBit thus far has been extremely successful in degrading their capability and credibility among the criminal community. The group’s attempt at rebuilding has resulted in a much less sophisticated enterprise with significantly reduced impact.”
“Today’s announcement puts another huge nail in the LockBit coffin and our investigation into them continues. We are also now targeting affiliates who have used LockBit services to inflict devastating ransomware attacks on schools, hospitals and major companies around the world.”
According to Europol, law enforcement agencies have obtained over 2,500 decryption keys and are contacting the LockBit victims to offer assistance. With Europol’s support, agencies like the Japanese Police, the National Crime Agency, and the FBI have developed decryption tools to recover files encrypted by LockBit ransomware. These tools are now accessible for free on the No More Ransom portal in 37 languages.
“Europol has been exploiting the vast amount of data gathered during the investigation and the first phase of action to identify these victims, who are located all over the world. Its European Cybercrime Centre (EC3) has disseminated some 3 500 intelligence packages containing information about Lockbit victims to 33 countries.” reads the announcement published by Europol.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, cybercrime)
U.S. Charges Russian Man as Boss of LockBit Ransomware Group
The United States joined the United Kingdom and Australia today in sanctioning 31-year-old Russian national Dmitry Yuryevich Khoroshev as the alleged leader of the infamous ransomware group LockBit. The U.S. Department of Justice also indicted Khoroshev and charged him with using Lockbit to attack more than 2,000 victims and extort at least $100 million in ransomware payments.
Image: U.K. National Crime Agency.
Khoroshev (Дмитрий Юрьевич Хорошев), a resident of Voronezh, Russia, was charged in a 26-count indictment by a grand jury in New Jersey.
“Dmitry Khoroshev conceived, developed, and administered Lockbit, the most prolific ransomware variant and group in the world, enabling himself and his affiliates to wreak havoc and cause billions of dollars in damage to thousands of victims around the globe,” U.S. Attorney Philip R. Sellinger said in a statement released by the Justice Department.
The indictment alleges Khoroshev acted as the LockBit ransomware group’s developer and administrator from its inception in September 2019 through May 2024, and that he typically received a 20 percent share of each ransom payment extorted from LockBit victims.
The government says LockBit victims included individuals, small businesses, multinational corporations, hospitals, schools, nonprofit organizations, critical infrastructure, and government and law-enforcement agencies.
“Khoroshev and his co-conspirators extracted at least $500 million in ransom payments from their victims and caused billions of dollars in broader losses, such as lost revenue, incident response, and recovery,” the DOJ said. “The LockBit ransomware group attacked more than 2,500 victims in at least 120 countries, including 1,800 victims in the United States.”
The unmasking of LockBitSupp comes nearly three months after U.S. and U.K. authorities seized the darknet websites run by LockBit, retrofitting it with press releases about the law enforcement action and free tools to help LockBit victims decrypt infected systems.
The feds used the existing design on LockBit’s victim shaming website to feature press releases and free decryption tools.
One of the blog captions that authorities left on the seized site was a teaser page that read, “Who is LockbitSupp?,” which promised to reveal the true identity of the ransomware group leader. That item featured a countdown clock until the big reveal, but when the site’s timer expired no such details were offered.
Following the FBI’s raid, LockBitSupp took to Russian cybercrime forums to assure his partners and affiliates that the ransomware operation was still fully operational. LockBitSupp also raised another set of darknet websites that soon promised to release data stolen from a number of LockBit victims ransomed prior to the FBI raid.
One of the victims LockBitSupp continued extorting was Fulton County, Ga. Following the FBI raid, LockbitSupp vowed to release sensitive documents stolen from the county court system unless paid a ransom demand before LockBit’s countdown timer expired. But when Fulton County officials refused to pay and the timer expired, no stolen records were ever published. Experts said it was likely the FBI had in fact seized all of LockBit’s stolen data.
LockBitSupp also bragged that their real identity would never be revealed, and at one point offered to pay $10 million to anyone who could discover their real name.
KrebsOnSecurity has been in intermittent contact with LockBitSupp for several months over the course of reporting on different LockBit victims. Reached at the same ToX instant messenger identity that the ransomware group leader has promoted on Russian cybercrime forums, LockBitSupp claimed the authorities named the wrong guy.
“It’s not me,” LockBitSupp replied in Russian. “I don’t understand how the FBI was able to connect me with this poor guy. Where is the logical chain that it is me? Don’t you feel sorry for a random innocent person?”
LockBitSupp, who now has a $10 million bounty for his arrest from the U.S. Department of State, has been known to be flexible with the truth. The Lockbit group routinely practiced “double extortion” against its victims — requiring one ransom payment for a key to unlock hijacked systems, and a separate payment in exchange for a promise to delete data stolen from its victims.
But Justice Department officials say LockBit never deleted its victim data, regardless of whether those organizations paid a ransom to keep the information from being published on LockBit’s victim shaming website.
Khoroshev is the sixth person officially indicted as active members of LockBit. The government says Russian national Artur Sungatov used LockBit ransomware against victims in manufacturing, logistics, insurance and other companies throughout the United States.
Ivan Gennadievich Kondratyev, a.k.a. “Bassterlord,” allegedly deployed LockBit against targets in the United States, Singapore, Taiwan, and Lebanon. Kondratyev is also charged (PDF) with three criminal counts arising from his alleged use of the Sodinokibi (aka “REvil“) ransomware variant to encrypt data, exfiltrate victim information, and extort a ransom payment from a corporate victim based in Alameda County, California.
In May 2023, U.S. authorities unsealed indictments against two alleged LockBit affiliates, Mikhail “Wazawaka” Matveev and Mikhail Vasiliev. In January 2022, KrebsOnSecurity published Who is the Network Access Broker ‘Wazawaka,’ which followed clues from Wazawaka’s many pseudonyms and contact details on the Russian-language cybercrime forums back to a 31-year-old Mikhail Matveev from Abaza, RU.
Matveev remains at large, presumably still in Russia. Meanwhile, the U.S. Department of State has a standing $10 million reward offer for information leading to Matveev’s arrest.
Vasiliev, 35, of Bradford, Ontario, Canada, is in custody in Canada awaiting extradition to the United States (the complaint against Vasiliev is at this PDF).
In June 2023, Russian national Ruslan Magomedovich Astamirov was charged in New Jersey for his participation in the LockBit conspiracy, including the deployment of LockBit against victims in Florida, Japan, France, and Kenya. Astamirov is currently in custody in the United States awaiting trial.
The Justice Department is urging victims targeted by LockBit to contact the FBI at https://lockbitvictims.ic3.gov/ to file an official complaint, and to determine whether affected systems can be successfully decrypted.
Russian Hacker Dmitry Khoroshev Unmasked as LockBit Ransomware Administrator
MITRE attributes the recent attack to China-linked UNC5221
MITRE published more details on the recent security breach, including a timeline of the attack and attribution evidence.
MITRE has shared more details on the recent hack, including the new malware involved in the attack and a timeline of the attacker’s activities.
In April 2024, MITRE disclosed a security breach in one of its research and prototyping networks. The security team at the organization promptly launched an investigation, logged out the threat actor, and engaged third-party forensics Incident Response teams to conduct independent analysis in collaboration with internal experts.
According to the MITRE Corporation, a nation-state actor breached its systems in January 2024 by chaining two Ivanti Connect Secure zero-day vulnerabilities (CVE-2023-46805 and CVE-2024-21887).
MITRE spotted a foreign nation-state threat actor probing its Networked Experimentation, Research, and Virtualization Environment (NERVE), used for research and prototyping. The organization immediately started mitigation actions which included taking NERVE offline. The investigation is still ongoing to determine the extent of information involved.
The organization notified authorities and affected parties and is working to restore operational alternatives for collaboration.
Despite MITRE diligently following industry best practices, implementing vendor recommendations, and complying with government guidance to strengthen, update, and fortify its Ivanti system, they overlooked the lateral movement into their VMware infrastructure.
The organization said that the core enterprise network or partners’ systems were not affected by this incident.
Mitre researchers reported that the indicators of compromise that were observed during the security breach overlap with those Mandiant associated with UNC5221, which is a China-linked APT group.
The state-sponsored hackers first gaining initial access to NERVE on December 31, then they deployed the ROOTROT web shell on
The adversary deployed the ROOTROT web shell on Internet-facing Ivanti appliances.
On January 4, 2024, the threat actors conducted a reconnaissance on NERVE environment. They accessed vCenter through a compromised Ivanti appliance and communicated with multiple ESXi hosts. The attackers used hijacked credentials to log into several accounts via RDP and accessed user bookmarks and file shares to probe the network.
Then the nation-state actors manipulated VMs to compromise the overall infrastructure.
“The adversary manipulated VMs and established control over the infrastructure. The adversary used compromised administrative credentials, authenticated from an internal NERVE IP address, indicating lateral movement within the NERVE.” reads the update published by Mitre. “They attempted to enable SSH and attempted to destroy one of their own VMs as well as POSTed to /ui/list/export and downloaded a file demonstrating a sophisticated attempt to conceal their presence and maintain persistence within the network.”
On January 7, 3034, the adversary accessed VMs and deployed malicious payloads, including the BRICKSTORM backdoor and a web shell tracked as BEEFLUSH, enabling persistent access and arbitrary command execution.
The hackers relied on SSH manipulation and script execution to maintain control over the compromised systems. Mitre noted attackers exploiting a default VMware account to list drives and generate new VMs, one of which was removed on the same day. BRICKSTORM was discovered in directories with local persistence setups, communicating with designated C2 domains. BEEFLUSH interacted with internal IP addresses, executing dubious scripts and commands from the vCenter server’s /tmp directory
In the following days, the threat actors deployed additional payloads on the target infrastrcuture, including the WIREFIRE (aka GIFTEDVISITOR) web shell, and the BUSHWALK webshell for data exfiltration.
Between mid-February and mid-March, before MITRE discovered the security breach in April, threat actors maintained persistence in the NERVE environment and attempted lateral movement. The organization pointed out that the nation-state actors failed to compromise other resources.
“Despite unsuccessful attempts to pivot to other resources, the adversary persisted in accessing other virtual environments within Center.” concludes the update that includes malware analysis and Indicators of Compromise for the involved payloads. “The adversary executed a ping command for one of MITRE’s corporate domain controllers and attempted to move laterally into MITRE systems but was unsuccessful.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, China)
APT42 Hackers Pose as Journalists to Harvest Credentials and Access Cloud Data
China-Linked Hackers Used ROOTROT Webshell in MITRE Network Intrusion
New Case Study: The Malicious Comment
Google Simplifies 2-Factor Authentication Setup (It's More Important Than Ever)
Russian Operator of BTC-e Crypto Exchange Pleads Guilty to Money Laundering
- Security Affairs
- Alexander Vinnik, the operator of BTC-e exchange, pleaded guilty to money laundering
Alexander Vinnik, the operator of BTC-e exchange, pleaded guilty to money laundering
Alexander Vinnik, a Russian operator of virtual currency exchange BTC-e pleaded guilty to participating in a money laundering scheme.
Alexander Vinnik, a Russian national, pleaded guilty to conspiracy to commit money laundering for his involvement in operating the cryptocurrency exchange BTC-e from 2011 to 2017. BTC-e processed over $9 billion in transactions and served over one million users globally, including many in the United States. In July 2017 law enforcement shut down the virtual currency exchange.
Greek Police arrested the Russian national in 2017, and they accused the man of running the BTC-e Bitcoin exchange to launder billions worth of cryptocurrency.
The virtual currency exchange received criminal proceeds from various illegal activities, including computer intrusions, ransomware attacks, identity theft, corruption, and drug distribution.
Vinnik promoted unlawful activities carried out through BTC-e and was responsible for at least $121 million in losses.
“BTC-e had no anti-money laundering (AML) and/or “know-your-customer” (KYC) processes and policies in place, as federal law also requires. BTC-e collected virtually no customer data at all, which made the exchange attractive to those who desired to conceal criminal proceeds from law enforcement.” reads the press release published by DoJ. “BTC-e relied on shell companies and affiliate entities that were similarly unregistered with FinCEN and lacked basic anti-money laundering and KYC policies to electronically transfer fiat currency in and out of BTC-e. Vinnik set up numerous such shell companies and financial accounts across the globe to allow BTC-e to conduct its business.”
In July 2018, a Greek lower court agreed to extradite Vinnik to France to face charges of hacking, money laundering, extortion, and involvement in organized crime.
French authorities accused Vinnik of defrauding more than 100 people in six French cities between 2016 and 2018.
French prosecutors revealed that among the 188 victims of the Vinnik’s attacks, there were local authorities, businesses, and individuals across the world.
In June, New Zealand police had frozen NZ$140 million (US$90 million) in assets linked to a Russian cyber criminal. New Zealand police had worked closely with the US Internal Revenue Service on the case and the investigation is still ongoing.
Vinnik denied charges of extortion and money laundering and did not answer magistrates’ questions, his lawyer also announced that is evaluating whether to appeal.
French prosecutors believe Vinnik was one of the authors of the Locky ransomware that was also employed in attacks on French businesses and organizations between 2016 and 2018.
At his trial, Vinnik explained that he was not the kingpin of the organization, he claimed t have served only as a technical operator executing the instructions of BTC-e directors.
Vinnik was convicted of money laundering but prosecutors didn’t find enough evidence to convict him of extortion.
“The court convicted Vinnik of money laundering but didn’t find enough evidence to convict him of extortion, and stopped short of the 10-year jail term and 750,000 euros in fines that prosecutors had requested.” reported the Associated Press.
“One of his French lawyers, Ariane Zimra, said his conviction for money laundering “doesn’t make sense,” arguing that cryptocurrency is not legally considered “money.”
Subsequently, Vinnik returned to Greece before being extradited to the U.S..
“Today’s result shows how the Justice Department, working with international partners, reaches across the globe to combat cryptocrime,” said Deputy Attorney General Lisa Monaco. “This guilty plea reflects the Department’s ongoing commitment to use all tools to fight money laundering, police crypto markets, and recover restitution for victims.”
In February, the U.S. charged Aliaksandr Klimenka, a Belarusian and Cypriot national linked with the cryptocurrency exchange BTC-e. The man is facing charges of money laundering conspiracy and operation of an unlicensed money services business.
According to the indictment, Klimenka allegedly controlled the platform BTC-e with Alexander Vinnik and others. Klimenka also allegedly controlled a technology services company named Soft-FX, and the financial company FX Open.
The servers that were hosting the BTC-e were maintained in the United States, and according to the DoJ, they were allegedly leased to and maintained by Klimenka and Soft-FX.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Alexander Vinnik)
Last Week in Security (LWiS) - 2024-05-06
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2024-04-29 to 2024-05-06.
News
- FCC Fines Major U.S. Wireless Carriers for Selling Customer Location Data - The real question is how much did these companies profit from this data before they were caught?
- BBC presenter's likeness used in advert after firm tricked by AI-generated voice - It's happening. Deep-phishing perhaps is the term? Are you/your customers ready? Can you simulate this attack?
- JFrog Security research discovers coordinated attacks on Docker Hub that planted millions of malicious repositories - "nearly 20% of these public repositories (almost three million repositories!) actually hosted malicious content." :grimacing"
- A recent security incident involving Dropbox Sign - Where the juciy data goes, so go the attackers. This was an acquisition (HelloSign) from 2019, no it should have been fully integrated into DropBox's security practice.
- Sodinokibi/REvil Affiliate Sentenced for Role in $700M Ransomware Scheme - A Ukrainian national was sentenced today to 13 years and seven months in prison and ordered to pay over $16 million in restitution for his role in conducting over 2,500 ransomware attacks and demanding over $700 million in ransom payments. A rare conviction in the ransomware scene.
- What's new in Windows Server 2025 (preview) - Microsoft has decided to change the default on #pre2k computer accounts and has removed the checkbox entirely in upcoming server releases.
Techniques and Write-ups
- Lateral movement and on-prem NT hash dumping with Microsoft Entra Temporary Access Passes - Per usual, amazing post by Dirk-Jan. Passwordless persistence and Entra-ID <-> On-Prem tradecraft. Must read.
- Uncharmed: Untangling Iran's APT42 Operations - Tradecraft details including their use of social engineering for initial access and credential harvesting. NGOs and journalists are being targeted.
- SCCM Exploitation: Compromising Network Access Accounts - An article on how fruitful Network Access Accounts are along with some mitigation and detection guidance. Even comes with wazuh and elastic parsers and rules! Thorough work.
- ADCS Attack Paths in BloodHound — Part 2 - New edges introduced with ADCS support in bloodhound.
- How I hacked into Google's internal corporate assets - Spoiler alert: dependency confusion. Has anyone used technique on a red team?
- CVE-2024-2887: A Pwn2own Winning Bug in Google Chrome - Type confusion in web assembly leads to shellcode execution in the V8 sandbox.
- Why sneak when you can walk through the front door - A Love letter to Password Spraying against M365 in Red Team Engagements - Great advice on performing a responsible password spray. The internal phish post-access is especially deadly.
- Manual LDAP Querying: Part 2 - Be careful with these (and Sharphound) as mature defenders will detect strange queries (like the SPN query).
- Code Injection to RCE with .NET - A real-life write up on a web app .NET injection and how it was turned into RCE.
- Sleeping Safely in Thread Pools - A new-to-red-teams (seen in the wild) technique to protect sleeping treads with thread pools.
- It's Morphin' Time: Self-Modifying Code Sections with WriteProcessMemory for EDR Evasion - This post introduces a novel self-injection technique for EDR evasion.
- Identifying Cross References with Capstone Disassembler and PEFile - Learn how to programmatically identify cross-references in malware code using Capstone Disassembler and PEFile in Python.
- Leash the Hounds: How to Stop LDAP Recon Attacks - Strategies to mitigate LDAP reconnaissance attacks using the LDAP Firewall for enhanced security and efficient auditing. ldapfw is the tool.
- DLS 2024 - RedTeam Fails - "Oops my bad I ruined the operation" - Examples of basic OPSEC mistakes during red team assessments.
- CFG in Windows 11 24H2 - Explore how Windows 11's 24H2 update integrates Control Flow Guard with hotpatching to enhance system security and efficiency.
- Tale of Code Integrity & Driver Loads - The article discusses how the Core Isolation user setting in Windows affects the process of driver loading, particularly focusing on Virtualization-based Security (VBS) and Hypervisor-Protected Code Integrity (HVCI).
- Send()-ing Myself Belated Christmas Gifts - GitHub.com's Environment Variables & GHES Shell - 2MB of env variables from production Github.com and RCE. What a bug!
- Virtualizing iOS on Apple Silicon - Some impressive low level hacking.
Tools and Exploits
- okta-terrify - Okta Verify and Okta FastPass Abuse Tool.
- cognito-scanner - A simple script which implements different Cognito attacks such as Account Oracle or Privilege Escalation.
- KExecDD - Admin to Kernel code execution using the KSecDD driver.
- Python-Beacon - Python files to aide with shellcode execution.
- PPPwn - PPPwn - PlayStation 4 PPPoE RCE.
- SharpGraphView - Microsoft Graph API post-exploitation toolkit.
- symbolizer-rs - A fast execution trace symbolizer for Windows that runs on all major platforms and doesn't depend on any Microsoft libraries.
New to Me and Miscellaneous
This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!
- Hypervisor-Detection - Detects virtual machines and malware analysis environments.
- wstunnel - Tunnel all your traffic over Websocket or HTTP2 - Bypass firewalls/DPI - Static binary available.
- puter - 🌐 The Internet OS! Free, Open-Source, and Self-Hostable.
- Installomator - Installation script to deploy standard software on Macs.
- blint - BLint is a Binary Linter to check the security properties, and capabilities in your executables. Since v2, blint is also an SBOM generator for binaries.
- (The) Postman Carries Lots of Secrets Don't sleep on Postman secrets!
- QCSuper - QCSuper is a tool communicating with Qualcomm-based phones and modems, allowing to capture raw 2G/3G/4G radio frames, among other things.
- proxybroker2 - The New (auto rotate) Proxy [Finder | Checker | Server]. HTTP(S) & SOCKS 🎭.
- JS-Tap - JavaScript payload and supporting software to be used as XSS payload or post exploitation implant to monitor users as they use the targeted application. Also includes a C2 for executing custom JavaScript payloads in clients.
- git-rotate - Leveraging GitHub Actions to rotate IP addresses during password spraying attacks to bypass IP-Based blocking.
Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing.
City of Wichita hit by a ransomware attack
The City of Wichita in Kansas was forced to shut down its computer systems after a ransomware attack.
The City of Wichita, Kansas, was the victim of a ransomware attack and shut down its network to contain the threat.
The security breach took place on May 5th, 2024, and immediately started its incident response procedure to prevent the threat from spreading.
The City is investigating and containing the incident with the help of third-party security experts and federal and local law enforcement authorities.
“We regret to report that certain online City services may be unavailable as we thoroughly review and assess an incident that affected some of our computer systems. As part of this assessment, we turned off our computer network.” reads the security breach notification. “This decision was not made lightly but was necessary to ensure that systems are securely vetted before returning to service.”
The City warns that some services may be temporarily unavailable while systems are offline.
City of Wichita is still investigating the scope of the incident and has yet to determine if the company has suffered a data breach.
The City hasn’t disclosed the family of ransomware that infected its systems and the name of the extortion gang behind the attack.
“We are working with specialists to thoroughly review and assess systems before putting them back online. Systems will be restored on a staggered basis to minimize disruptions. We do not have a definitive timeline for returning all systems to production.” the city noted.
“This [the name of the group that is claiming responsibility for the attack] is not being shared for operational security purposes.” states the report.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, City of Wichita)
Why Your VPN May Not Be As Secure As It Claims
Virtual private networking (VPN) companies market their services as a way to prevent anyone from snooping on your Internet usage. But new research suggests this is a dangerous assumption when connecting to a VPN via an untrusted network, because attackers on the same network could force a target’s traffic off of the protection provided by their VPN without triggering any alerts to the user.
Image: Shutterstock.
When a device initially tries to connect to a network, it broadcasts a message to the entire local network stating that it is requesting an Internet address. Normally, the only system on the network that notices this request and replies is the router responsible for managing the network to which the user is trying to connect.
The machine on a network responsible for fielding these requests is called a Dynamic Host Configuration Protocol (DHCP) server, which will issue time-based leases for IP addresses. The DHCP server also takes care of setting a specific local address — known as an Internet gateway — that all connecting systems will use as a primary route to the Web.
VPNs work by creating a virtual network interface that serves as an encrypted tunnel for communications. But researchers at Leviathan Security say they’ve discovered it’s possible to abuse an obscure feature built into the DHCP standard so that other users on the local network are forced to connect to a rogue DHCP server.
“Our technique is to run a DHCP server on the same network as a targeted VPN user and to also set our DHCP configuration to use itself as a gateway,” Leviathan researchers Lizzie Moratti and Dani Cronce wrote. “When the traffic hits our gateway, we use traffic forwarding rules on the DHCP server to pass traffic through to a legitimate gateway while we snoop on it.”
The feature being abused here is known as DHCP option 121, and it allows a DHCP server to set a route on the VPN user’s system that is more specific than those used by most VPNs. Abusing this option, Leviathan found, effectively gives an attacker on the local network the ability to set up routing rules that have a higher priority than the routes for the virtual network interface that the target’s VPN creates.
“Pushing a route also means that the network traffic will be sent over the same interface as the DHCP server instead of the virtual network interface,” the Leviathan researchers said. “This is intended functionality that isn’t clearly stated in the RFC [standard]. Therefore, for the routes we push, it is never encrypted by the VPN’s virtual interface but instead transmitted by the network interface that is talking to the DHCP server. As an attacker, we can select which IP addresses go over the tunnel and which addresses go over the network interface talking to our DHCP server.”
Leviathan found they could force VPNs on the local network that already had a connection to arbitrarily request a new one. In this well-documented tactic, known as a DHCP starvation attack, an attacker floods the DHCP server with requests that consume all available IP addresses that can be allocated. Once the network’s legitimate DHCP server is completely tied up, the attacker can then have their rogue DHCP server respond to all pending requests.
“This technique can also be used against an already established VPN connection once the VPN user’s host needs to renew a lease from our DHCP server,” the researchers wrote. “We can artificially create that scenario by setting a short lease time in the DHCP lease, so the user updates their routing table more frequently. In addition, the VPN control channel is still intact because it already uses the physical interface for its communication. In our testing, the VPN always continued to report as connected, and the kill switch was never engaged to drop our VPN connection.”
The researchers say their methods could be used by an attacker who compromises a DHCP server or wireless access point, or by a rogue network administrator who owns the infrastructure themselves and maliciously configures it. Alternatively, an attacker could set up an “evil twin” wireless hotspot that mimics the signal broadcast by a legitimate provider.
ANALYSIS
Bill Woodcock is executive director at Packet Clearing House, a nonprofit based in San Francisco. Woodcock said Option 121 has been included in the DHCP standard since 2002, which means the attack described by Leviathan has technically been possible for the last 22 years.
“They’re realizing now that this can be used to circumvent a VPN in a way that’s really problematic, and they’re right,” Woodcock said.
Woodcock said anyone who might be a target of spear phishing attacks should be very concerned about using VPNs on an untrusted network.
“Anyone who is in a position of authority or maybe even someone who is just a high net worth individual, those are all very reasonable targets of this attack,” he said. “If I were trying to do an attack against someone at a relatively high security company and I knew where they typically get their coffee or sandwich at twice a week, this is a very effective tool in that toolbox. I’d be a little surprised if it wasn’t already being exploited in that way, because again this isn’t rocket science. It’s just thinking a little outside the box.”
Successfully executing this attack on a network likely would not allow an attacker to see all of a target’s traffic or browsing activity. That’s because for the vast majority of the websites visited by the target, the content is encrypted (the site’s address begins with https://). However, an attacker would still be able to see the metadata — such as the source and destination addresses — of any traffic flowing by.
KrebsOnSecurity shared Leviathan’s research with John Kristoff, founder of dataplane.org and a PhD candidate in computer science at the University of Illinois Chicago. Kristoff said practically all user-edge network gear, including WiFi deployments, support some form of rogue DHCP server detection and mitigation, but that it’s unclear how widely deployed those protections are in real-world environments.
“However, and I think this is a key point to emphasize, an untrusted network is an untrusted network, which is why you’re usually employing the VPN in the first place,” Kristoff said. “If [the] local network is inherently hostile and has no qualms about operating a rogue DHCP server, then this is a sneaky technique that could be used to de-cloak some traffic – and if done carefully, I’m sure a user might never notice.”
MITIGATIONS
According to Leviathan, there are several ways to minimize the threat from rogue DHCP servers on an unsecured network. One is using a device powered by the Android operating system, which apparently ignores DHCP option 121.
Relying on a temporary wireless hotspot controlled by a cellular device you own also effectively blocks this attack.
“They create a password-locked LAN with automatic network address translation,” the researchers wrote of cellular hot-spots. “Because this network is completely controlled by the cellular device and requires a password, an attacker should not have local network access.”
Leviathan’s Moratti said another mitigation is to run your VPN from inside of a virtual machine (VM) — like Parallels, VMware or VirtualBox. VPNs run inside of a VM are not vulnerable to this attack, Moratti said, provided they are not run in “bridged mode,” which causes the VM to replicate another node on the network.
In addition, a technology called “deep packet inspection” can be used to deny all in- and outbound traffic from the physical interface except for the DHCP and the VPN server. However, Leviathan says this approach opens up a potential “side channel” attack that could be used to determine the destination of traffic.
“This could be theoretically done by performing traffic analysis on the volume a target user sends when the attacker’s routes are installed compared to the baseline,” they wrote. “In addition, this selective denial-of-service is unique as it could be used to censor specific resources that an attacker doesn’t want a target user to connect to even while they are using the VPN.”
Moratti said Leviathan’s research shows that many VPN providers are currently making promises to their customers that their technology can’t keep.
“VPNs weren’t designed to keep you more secure on your local network, but to keep your traffic more secure on the Internet,” Moratti said. “When you start making assurances that your product protects people from seeing your traffic, there’s an assurance or promise that can’t be met.”
A copy of Leviathan’s research, along with code intended to allow others to duplicate their findings in a lab environment, is available here.
Critical Tinyproxy Flaw Opens Over 50,000 Hosts to Remote Code Execution
China-Linked Hackers Suspected in ArcaneDoor Cyberattacks Targeting Network Devices
El Salvador suffered a massive leak of biometric data
Resecurity found a massive leak involving the exposure of personally identifiable information (PII) of over five million citizens of El Salvador on the Dark Web.
Resecurity identified a massive leak of the personally identifiable information (PII) of over five million citizens from El Salvador on the Dark Web, impacting more than 80% of the country’s population.
The threat actor, going by the alias ‘CiberinteligenciaSV,’ posted the 144 GB data dump to Breach Forums, writing that the leak included 5,129,518 high-definition photos, each labeled with the corresponding Salvadorian’s document identification (DUI) number. Resecurity assesses that the real intellectual authors of this breach appear to have an interest in obscuring their involvement, using the background specter of the Guacamaya group and its unofficial proxies to form a cloud of uncertainty surrounding the real threat actors and attack chain that caused the data leak.
The data dump includes the following fields:
– ID
– Identification document (DUI)
– Names/Last names
– Date of birth
– Telephone
– Email
– Address
– Photo of the victim
Ultimately, this data leak is significant because it marks one of the first instances in cybercrime history where virtually the entire population of a country has been affected by a compromise of biometric data. A Federal Trade Commission advisory published last year states, “Biometric information refers to data that depict or describe physical, biological, or behavioral traits, characteristics, or measurements of or relating to an identified or identifiable person’s body.”
Beyond the massive scale of Salvadorian PII records, threat actors also obtained a headshot of each victim, which represents a crucial biometric data marker – particularly in the golden age of generative AI. Notably, the vast scale of this biometric and PII data breach places most of El Salvador’s population at significant risk for identity theft and fraud. Armed with modern deep fake technology, threat actors can leverage victim headshots and related PII to stage more convincing frauds across a broad universe of digital-first financial, merchant, and government portals.
The detailed report is available here:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, El Salvador)