Reading view
Threat actors may have exploited a zero-day in older iPhones, Apple warns
Apple rolled out urgent security updates to address code execution vulnerabilities in iPhones, iPads, and macOS.
Apple released urgent security updates to address multiple vulnerabilities in iPhones, iPads, macOS. The company also warns of a vulnerability patched in March that the company believes may have been exploited as a zero-day.
The issue impacts older iPhone devices, it is tracked as CVE-2024-23296 and is a memory corruption flaw in the RTKit.
The Real-Time Kernel is a component of the operating system responsible for managing and executing tasks with strict timing requirements.
“An attacker with arbitrary kernel read and write capability may be able to bypass kernel memory protections.” reads the advisory published by Cupertino firm. “Apple is aware of a report that this issue may have been exploited.”
The IT giant fixed the memory corruption bug with improved validation, it released iOS 16.7.8 and iPadOS 16.7.8.
The company also addressed a logic issue, tracked as CVE-2024-27789, in the Foundation framework. The flaw can be exploited by an app to access user-sensitive data.
The flaw was reported by Mickey Jin (@patch1t), the company addressed the vulnerability with improved checks.
Security patches are available for iPhone 8, iPhone 8 Plus, iPhone X, iPad 5th generation, iPad Pro 9.7-inch, and iPad Pro 12.9-inch 1st generation
Apple released security patches to fix other issues in multiple products. The vulnerabilities fixed by the vendor can lead to arbitrary code execution, privilege escalation, denial-of-service attacks, and unauthorized access to data.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, zero-day)
Last Week in Security (LWiS) - 2024-05-13
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2024-05-06 to 2024-05-13.
News
- Proton Mail Discloses User Data Leading to Arrest in Spain - People trusting VPNs is still wild.
- Ascension hospitals report 'disruptions' to clinic operations following suspected cyber attack - Ascension is one of the largest hospital systems in Illinois, with 150 care sites and 14 hospitals, including Ascension St. Francis in Evanston.
- A joint statement from UniSuper CEO Peter Chun, and Google Cloud CEO, Thomas Kurian - When the Google Cloud CEO has to make a statement, you know it's a big deal. UniSuper, an Australian superannuation fund, had their entire Google Cloud account deleted in "an isolated, one-of-a-kind occurrence." They were saved only because they kept a backup totally outside of Google Cloud. This will be a wild one for your tabletop exercises.
- How Did Authorities Identify the Alleged Lockbit Boss? - Last week global law enforcement arrested the alleged leader of the LockBit ransomware gang (known online as "LockBitSupp"). Krebs has the details on how they tracked him down.
Techniques and Write-ups
- TunnelVision (CVE-2024-3661): How Attackers Can Decloak Routing-Based VPNs For a Total VPN Leak - With a little-used DHCP option, an attacker in a position to send DHCP responses to a vitim (real or through a rogue DHCP server) can push specific routes that will allow them to see traffic that the user believes is protected by a VPN.
- CVE-2024-21115: An Oracle Virtualbox Lpe Used to Win Pwn2own - Great, detailed write up of an out-of-bounds write leading to arbitrary WinExec -- not quite arbitrary code eqeqution thanks to control flow guard.
- Understanding and Evading Microsoft Defender for Identity Pkinit Detection - If you want to not stand out, it's always best to look exactly like native tools. To achive this, try the new tool: Invoke-RunAsWithCert - A PowerShell script to perform PKINIT authentication with the Windows API from a non domain-joined machine.
- Marshal Like a Boss With Reflective Loading in C# - This post shows how reflective loading can be combined with storing a DLL in resources to marshal functions from it into managed runtime without the need of dropping any artifacts on disk.
- Custom Beacon Artifacts - Blog post explaining how to create custom Beacon artifacts for Cobalt Strike by modifying and building executable templates in C++ and Rust, allowing for the injection and execution of Beacon shellcode in memory without detection.
- When "Phish-Proof" Gets Hooked - How a red team revealed a vulnerability in Okta FastPass, by exploiting the transition from the Loopback flow to the Custom URL flow, bypassing anti-phishing protections. So much Okta tradecraft lately.
- Lethal Injection: How We Hacked Microsoft's Healthcare Chat Bot - Multiple vulnerabilities in Microsoft's Azure Health Bot service that could have allowed unauthorized access to sensitive infrastructure and medical data. All patched. Cool work!
- Today I Learned - Zsh History Timestamps - In Zsh, commands executed during a session are logged with timestamps, but these timestamps reset upon reboot or session closure, making it useful for incident response in systems where Zsh is the default shell.
- Abusing Azure Logic Apps - Part 1 - Looking forward to this series. How attackers can abuse storage account privileges linked with a logic app to gain unauthorized access, execute system commands, and create workflows, focusing on the relationship between logic apps and storage accounts.
- Looking back at the past 4 months - For those thinking about starting to become a full time bug bounty hunter. An anecdote.
- Bypassing WAFs to Exploit CSPT Using Encoding Levels - How to exploit Client Side Path Traversal (CSPT) vulnerabilities by bypassing Web Application Firewalls (WAFs) using different encoding levels to execute attacks such as cross-site scripting (XSS).
- Kerberos Delegation Test App - Rasta built a ASP.NET Core to understand Kerberos protocol by capturing and decrypting real traffic.
- The Structure and Taxonomy of a Detection Knowledge Base - The importance of documentation in detection engineering.
- Schneider Electric APC Easy UPS RCE - Java RMI Applevel Deser for JEP>=290 - RCE those pesky UPS devices all over your internal pentest.
- Digging for SSRF in NextJS apps - The blog post explores the potential for SSRF vulns in NextJS applications due to misconfigurations, particularly focusing on the _next/image component and demonstrating how attackers can exploit these weaknesses to perform SSRF attacks, including a detailed explanation of bypassing security measures and a newly discovered SSRF vulnerability that was assigned CVE-2024-34351.
- Hacking Apple - SQL Injection to Remote Code Execution - Researchers from ProjectDiscovery identified a critical SQL injection vulnerability in Apple's Book Travel portal using Mura/Masa CMS, led to RCE, and responsibly disclosed it. Wicked!
- Lateral movement and on-prem NT hash dumping with Microsoft Entra Temporary Access Passes - Temporary passwords can give access to long term keys! Great writeup from Dirk-jan as always.
- Poisoning Pipelines: Azure DevOps Edition - DevOps and CI/CD solutions have come under fire recently, and this post shows how to abuse Azure DevOps to execute arbitrary code.
- Emulation with Qiling - Qiling has some cool features, like the ability to fake file systems, hook functions, and even modify registers on the fly. This post shows how to use Qiling to emulate NEXXT Polaris 150 travel router.
- XZ Utils Made Me Paranoid - If you too are paranoid due to the XZ backdoor incident, check out VerifyELF a tool to validate that there are no hooks installed into the running processes, and if there are to print out that there is and what offset the first difference is, or print out all differences.
Tools and Exploits
- IconJector - Unorthodox and stealthy way to inject a DLL into the explorer using icons.
- TrollDump - Injects a 64-bit managed DLL into a 64-bit managed or unmanaged process using setwindowshook.
- pgdsat - PostgreSQL Database Security Assessment Tool.
- grype - A vulnerability scanner for container images and filesystems.
- parsnip - Parsnip is a program developed to assist in the parsing of protocols using the open source network security monitoring tool Zeek.
- vulnrichment - A repo to conduct vulnerability enrichment.
- ImmoralFiber - Fibers are an optional and largely undocumented component of the Windows operating system, existing only in user mode.
- IPPrintC2 - PoC for using MS Windows printers for persistence / command and control via Internet Printing.
New to Me and Miscellaneous
This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!
- Raspberry Pi Connect - "...a secure and easy-to-use way to access your Raspberry Pi remotely, from anywhere on the planet, using just a web browser."
- C-from-Scratch - A roadmap to learn C from Scratch.
- regulator - Automated learning of regexes for DNS discovery.
- confused - Tool to check for dependency confusion vulnerabilities in multiple package management systems.
- ashirt-server - Adversary Simulators High-Fidelity Intelligence and Reporting Toolkit.
- bsides-nashville-identity-crisis - Identity Crisis: Combating M365 Account Takeovers at Scale (BSides Nashville 2024).
- Survivorship Bias and How Red Teams Can Handle It - Not the first time I've heard this before.
- gcp-iam-brute - GCP IAM Brute is a tool that leverages the testIamPermissions feature in Google Cloud Platform (GCP) to perform fuzz testing for different permissions within GCP.
- stalker - Stalker, the Extensible Attack Surface Management tool.
- cloudmapper - CloudMapper helps you analyze your Amazon Web Services (AWS) environments.
- waymore - Find way more from the Wayback Machine, Common Crawl, Alien Vault OTX, URLScan & VirusTotal!.
Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing.
City of Helsinki suffered a data breach
The City of Helsinki suffered a data breach that impacted tens of thousands of students, guardians, and personnel.
The Police of Finland is investigating a data breach suffered by the City of Helsinki, the security breach occurred during the night of 30 April 2024.
The data breach impacted the City’s Education Division’s computer network. The City of Helsinki reported the incident to the police and the investigation is still ongoing to determine the extent and impact of the incident.
“The volume of data under investigation is significant. Unfortunately, we are currently unable to provide an accurate assessment of what data the perpetrator may have accessed. What we can tell you about at this time are the possible risks, so that personnel and customers of the Education Division can prepare for them. This procedure is in line with data protection law,” says Satu Järvenkallas, Executive Director of the Education Division.
“The victim of the crime is currently the City of Helsinki, from which the police will receive all necessary information for the investigation of the case. City residents do not need to contact the police”, said the Deputy Police Commissioner Heikki Kopperoinen.
The City already implemented various security measures in response to the security breach.
“We previously announced that the party behind the data breach has gained access to student and personnel usernames and email addresses. Further investigation has shown that the perpetrator has gained access to the usernames and email addresses of all city personnel, as well as the personal IDs and addresses of students, guardians and personnel from the Education Division. Additionally, the perpetrator has also gained access to content on network drives belonging to the Education Division,” says the City of Helsinki’s Chief Digital Officer Hannu Heikkinen.
The incident exposed tens of millions of files, most of them contain ordinary personal information, but the City believes that the opportunity for abuse of this information is minor. However, some of the compromised documents include confidential information or sensitive personal information.
“These include information about fees (and the grounds thereof) for customers of early childhood education and care, sensitive information about the status of children, such as information requests by student welfare or information about the need of special support and medical certificates regarding the suspension of studies for upper secondary students, as well as the sick leave records of Education Division personnel.” reads the statement published by the City of Helsinki. “We cannot rule out the possibility of the perpetrator gaining access to data of persons under a non-disclosure restriction.”
The data in the incident include information dating back several years, potentially compromising individuals who were not current customers or staff members of the Education Division.
According to the announcement, threat actors exploited a vulnerability in the Education Division network server to remotely access it. Although a patch to fix this vulnerability was available, it was not installed on the server for unknown reasons. Hannu Heikkinen stated that their security controls and procedures were inadequate, but measures have been implemented to prevent a similar breach in the future. No evidence suggests that the threat actors accessed networks or data from other divisions, but all City of Helsinki networks are being closely monitored.
“This is a very serious data breach, with possible, unfortunate consequences for our customers and personnel. We regret this situation deeply. Considering the number of users in the city’s services now and in previous years, in the worst case, this data breach affects over 80,000 students and their guardians. The breach also affects all of our personnel, as the perpetrator gained access to all personnel usernames and email addresses,” says City Manager Jukka-Pekka Ujula. “Reaction to the data breach has been quick and all the necessary resources are being and will be used on protective measures. This is the highest priority for the city´s senior management,” Ujula continues.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, data breach)
Russian hackers defaced local British news sites
A group of hackers that defines itself as “first-class Russian hackers” claims the defacement of hundreds of local and regional British newspaper websites.
A group claiming to be “first-class Russian hackers” defaced numerous local and regional British newspaper websites owned by Newsquest Media Group. The group defaced the home pages of the targeted websites and posted the message “PERVOKLASSNIY RUSSIAN HACKERS ATTACK.”
The following image shows an archived version of the East Lothian Courier, which is one of the impacted newspapers, that was published by Reported Future News.
Newsquest Media Group Limited is the second-largest publisher of regional and local newspapers in the United Kingdom. It is owned by the American mass media holding company Gannett. It has 205 brands across the UK, publishing online and in print (165 newspaper brands and 40 magazine brands) and reaches 28 million visitors a month online and 6.5 million readers a week in print. Based in London, Newsquest employs a total of more than 5,500 people across the UK.
Local media websites in the UK are vulnerable to cyber attacks, threat actors can target them to spread fake news.
In August 2020, security experts from FireEye uncovered a disinformation campaign aimed at discrediting NATO by spreading fake news content on compromised news websites.
“The operations have primarily targeted audiences in Lithuania, Latvia, and Poland with anti-North Atlantic Treaty Organization (NATO) narratives, often leveraging website compromises or spoofed email accounts to disseminate fabricated content, including falsified correspondence from military officials” reads the report published by FireEye.
According to FireEye, the campaign tracked as GhostWriter, has been ongoing since at least March 2017 and is aligned with Russian security interests.
Unlike other disinformation campaigns, GhostWriter doesn’t spread through social networks, instead, threat actors behind this campaign abused compromised content management systems (CMS) of news websites or spoofed email accounts to disseminate fake news.
The attackers used to replace existing legitimate articles on the sites with the fake content, instead of creating new posts.
The attackers were spreading fabricated content, including falsified news articles, quotes, correspondence, and other documents designed to appear as coming from military officials and political figures in the target countries.
According to the experts, the campaign primarily targeted audiences in specific states members of the alliance, including Lithuania, Latvia, and Poland.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Russian hackers)
MITRE Unveils EMB3D: A Threat-Modeling Framework for Embedded Devices
The 2024 Browser Security Report Uncovers How Every Web Session Could be a Security Minefield
How Did Authorities Identify the Alleged Lockbit Boss?
Last week, the United States joined the U.K. and Australia in sanctioning and charging a Russian man named Dmitry Yuryevich Khoroshev as the leader of the infamous LockBit ransomware group. LockBit’s leader “LockBitSupp” claims the feds named the wrong guy, saying the charges don’t explain how they connected him to Khoroshev. This post examines the activities of Khoroshev’s many alter egos on the cybercrime forums, and tracks the career of a gifted malware author who has written and sold malicious code for the past 14 years.
Dmitry Yuryevich Khoroshev. Image: treasury.gov.
On May 7, the U.S. Department of Justice indicted Khoroshev on 26 criminal counts, including extortion, wire fraud, and conspiracy. The government alleges Khoroshev created, sold and used the LockBit ransomware strain to personally extort more than $100 million from hundreds of victim organizations, and that LockBit as a group extorted roughly half a billion dollars over four years.
Federal investigators say Khoroshev ran LockBit as a “ransomware-as-a-service” operation, wherein he kept 20 percent of any ransom amount paid by a victim organization infected with his code, with the remaining 80 percent of the payment going to LockBit affiliates responsible for spreading the malware.
Financial sanctions levied against Khoroshev by the U.S. Department of the Treasury listed his known email and street address (in Voronezh, in southwest Russia), passport number, and even his tax ID number (hello, Russian tax authorities). The Treasury filing says Khoroshev used the emails [email protected], and [email protected].
According to DomainTools.com, the address [email protected] was used to register at least six domains, including a Russian business registered in Khoroshev’s name called tkaner.com, which is a blog about clothing and fabrics.
A search at the breach-tracking service Constella Intelligence on the phone number in Tkaner’s registration records — 7.9521020220 — brings up multiple official Russian government documents listing the number’s owner as Dmitri Yurievich Khoroshev.
Another domain registered to that phone number was stairwell[.]ru, which at one point advertised the sale of wooden staircases. Constella finds that the email addresses [email protected] and [email protected] used the password 225948.
DomainTools reports that stairwell.ru for several years included the registrant’s name as “Dmitrij Ju Horoshev,” and the email address [email protected]. According to Constella, this email address was used in 2010 to register an account for a Dmitry Yurievich Khoroshev from Voronezh, Russia at the hosting provider firstvds.ru.
Image: Shutterstock.
Cyber intelligence firm Intel 471 finds that [email protected] was used by a Russian-speaking member called Pin on the English-language cybercrime forum Opensc. Pin was active on Opensc around March 2012, and authored 13 posts that mostly concerned data encryption issues, or how to fix bugs in code.
Other posts concerned custom code Pin claimed to have written that would bypass memory protections on Windows XP and Windows 7 systems, and inject malware into memory space normally allocated to trusted applications on a Windows machine.
Pin also was active at that same time on the Russian-language security forum Antichat, where they told fellow forum members to contact them at the ICQ instant messenger number 669316.
NEROWOLFE
A search on the ICQ number 669316 at Intel 471 shows that in April 2011, a user by the name NeroWolfe joined the Russian cybercrime forum Zloy using the email address [email protected], and from an Internet address in Voronezh, RU.
Constella finds the same password tied to [email protected] (225948) was used by the email address [email protected], which Intel 471 says was registered to more than a dozen NeroWolfe accounts across just as many Russian cybercrime forums between 2011 and 2015.
NeroWolfe’s introductory post to the forum Verified in Oct. 2011 said he was a system administrator and C++ coder.
“Installing SpyEYE, ZeuS, any DDoS and spam admin panels,” NeroWolfe wrote. This user said they specialize in developing malware, creating computer worms, and crafting new ways to hijack Web browsers.
“I can provide my portfolio on request,” NeroWolfe wrote. “P.S. I don’t modify someone else’s code or work with someone else’s frameworks.”
In April 2013, NeroWolfe wrote in a private message to another Verified forum user that he was selling a malware “loader” program that could bypass all of the security protections on Windows XP and Windows 7.
“The access to the network is slightly restricted,” NeroWolfe said of the loader, which he was selling for $5,000. “You won’t manage to bind a port. However, it’s quite possible to send data. The code is written in C.”
In an October 2013 discussion on the cybercrime forum Exploit, NeroWolfe weighed in on the karmic ramifications of ransomware. At the time, ransomware-as-a-service didn’t exist yet, and many members of Exploit were still making good money from “lockers,” relatively crude programs that locked the user out of their system until they agreed to make a small payment (usually a few hundred dollars via prepaid Green Dot cards).
Lockers, which presaged the coming ransomware scourge, were generally viewed by the Russian-speaking cybercrime forums as harmless moneymaking opportunities, because they usually didn’t seek to harm the host computer or endanger files on the system. Also, there were still plenty of locker programs that aspiring cybercriminals could either buy or rent to make a steady income.
NeroWolfe reminded forum denizens that they were just as vulnerable to ransomware attacks as their would-be victims, and that what goes around comes around.
“Guys, do you have a conscience?,” NeroWolfe wrote. “Okay, lockers, network gopstop aka business in Russian. The last thing was always squeezed out of the suckers. But encoders, no one is protected from them, including the local audience.”
If Khoroshev was ever worried that someone outside of Russia might be able to connect his early hacker handles to his real life persona, that’s not clear from reviewing his history online. In fact, the same email address tied to so many of NeroWolfe’s accounts on the forums — [email protected] — was used in 2011 to create an account for a Dmitry Yurevich Khoroshev on the Russian social media network Vkontakte.
NeroWolfe seems to have abandoned all of his forum accounts sometime in 2016. In November 2016, an exploit[.]ru member filed an official complaint against NeroWolfe, saying NeroWolfe had been paid $2,000 to produce custom code but never finished the project and vanished.
It’s unclear what happened to NeroWolfe or to Khoroshev during this time. Maybe he got arrested, or some close associates did. Perhaps he just decided it was time to lay low and hit the reset on his operational security efforts, given his past failures in this regard. It’s also possible NeroWolfe landed a real job somewhere for a few years, fathered a child, and/or had to put his cybercrime career on hold.
PUTINKRAB
Or perhaps Khoroshev saw the coming ransomware industry for the endless pot of gold that it was about to become, and then dedicated himself to working on custom ransomware code. That’s what the government believes.
The indictment against Khoroshev says he used the hacker nickname Putinkrab, and Intel 471 says this corresponds to a username that was first registered across three major Russian cybercrime forums in early 2019.
KrebsOnSecurity could find no obvious connections between Putinkrab and any of Khoroshev’s older identities. However, if Putinkrab was Khoroshev, he would have learned from his past mistakes and started fresh with a new identity (which he did). But also, it is likely the government hasn’t shared all of the intelligence it has collected against him (more on that in a bit).
Putinkrab’s first posts on the Russian cybercrime forums XSS, Exploit and UFOLabs saw this user selling ransomware source code written in C.
A machine-translated ad for ransomware source code from Putinkrab on the Russian language cybercrime forum UFOlabs in 2019. Image: Ke-la.com.
In April 2019, Putkinkrab offered an affiliate program that would run on top of his custom-made ransomware code.
“I want to work for a share of the ransoms: 20/80,” Putinkrab wrote on Exploit. “20 percent is my percentage for the work, you get 80% of the ransoms. The percentage can be reduced up to 10/90 if the volumes are good. But now, temporarily, until the service is fully automated, we are working using a different algorithm.”
Throughout the summer of 2019, Putinkrab posted multiple updates to Exploit about new features being added to his ransomware strain, as well as novel evasion techniques to avoid detection by security tools. He also told forum members he was looking for investors for a new ransomware project based on his code.
In response to an Exploit member who complained that the security industry was making it harder to profit from ransomware, Putinkrab said that was because so many cybercriminals were relying on crappy ransomware code.
“The vast majority of top antiviruses have acquired behavioral analysis, which blocks 95% of crypto-lockers at their root,” Putinkrab wrote. “Cryptolockers made a lot of noise in the press, but lazy system administrators don’t make backups after that. The vast majority of cryptolockers are written by people who have little understanding of cryptography. Therefore, decryptors appear on the Internet, and with them the hope that files can be decrypted without paying a ransom. They just sit and wait. Contact with the owner of the key is lost over time.”
Putinkrab said he had every confidence his ransomware code was a game-changer, and a huge money machine.
“The game is just gaining momentum,” Putinkrab wrote. “Weak players lose and are eliminated.”
The rest of his response was structured like a poem:
“In this world, the strongest survive.
Our life is just a struggle.
The winner will be the smartest,
Who has his head on his shoulders.”
Putinkrab’s final post came on August 23, 2019. The Justice Department says the LockBit ransomware affiliate program was officially launched five months later. From there on out, the government says, Khoroshev adopted the persona of LockBitSupp. In his introductory post on Exploit, LockBit’s mastermind said the ransomware strain had been in development since September 2019.
The original LockBit malware was written in C (a language that NeroWolfe excelled at). Here’s the original description of LockBit, from its maker:
“The software is written in C and Assembler; encryption is performed through the I/O Completion Port; there is a port scanning local networks and an option to find all DFS, SMB, WebDAV network shares, an admin panel in Tor, automatic test decryption; a decryption tool is provided; there is a chat with Push notifications, a Jabber bot that forwards correspondence and an option to terminate services/processes in line which prevent the ransomware from opening files at a certain moment. The ransomware sets file permissions and removes blocking attributes, deletes shadow copies, clears logs and mounts hidden partitions; there is an option to drag-and-drop files/folders and a console/hidden mode. The ransomware encrypts files in parts in various places: the larger the file size, the more parts there are. The algorithms used are AES + RSA.
You are the one who determines the ransom amount after communicating with the victim. The ransom paid in any currency that suits you will be transferred to your wallets. The Jabber bot serves as an admin panel and is used for banning, providing decryption tools, chatting – Jabber is used for absolutely everything.”
CONCLUSION
Does the above timeline prove that NeroWolfe/Khoroshev is LockBitSupp? No. However, it does indicate Khoroshev was for many years deeply invested in countless schemes involving botnets, stolen data, and malware he wrote that others used to great effect. NeroWolfe’s many private messages from fellow forum members confirm this.
NeroWolfe’s specialty was creating custom code that employed novel stealth and evasion techniques, and he was always quick to volunteer his services on the forums whenever anyone was looking help on a malware project that called for a strong C or C++ programmer.
Someone with those qualifications — as well as demonstrated mastery of data encryption and decryption techniques — would have been in great demand by the ransomware-as-a-service industry that took off at around the same time NeroWolfe vanished from the forums.
Someone like that who is near or at the top of their game vis-a-vis their peers does not simply walk away from that level of influence, community status, and potential income stream unless forced to do so by circumstances beyond their immediate control.
It’s important to note that Putinkrab didn’t just materialize out of thin air in 2019 — suddenly endowed with knowledge about how to write advanced, stealthy ransomware strains. That knowledge clearly came from someone who’d already had years of experience building and deploying ransomware strains against real-life victim organizations.
Thus, whoever Putinkrab was before they adopted that moniker, it’s a safe bet they were involved in the development and use of earlier, highly successful ransomware strains. One strong possible candidate is Cerber ransomware, the most popular and effective affiliate program operating between early 2016 and mid-2017. Cerber thrived because it emerged as an early mover in the market for ransomware-as-a-service offerings.
In February 2024, the FBI seized LockBit’s cybercrime infrastructure on the dark web, following an apparently lengthy infiltration of the group’s operations. The United States has already indicted and sanctioned at least five other alleged LockBit ringleaders or affiliates, so presumably the feds have been able to draw additional resources from those investigations.
Also, it seems likely that the three national intelligence agencies involved in bringing these charges are not showing all of their cards. For example, the Treasury documents on Khoroshev mention a single cryptocurrency address, and yet experts interviewed for this story say there are no obvious clues connecting this address to Khoroshev or Putinkrab.
But given that LockBitSupp has been actively involved in Lockbit ransomware attacks against organizations for four years now, the government almost certainly has an extensive list of the LockBit leader’s various cryptocurrency addresses — and probably even his bank accounts in Russia. And no doubt the money trail from some of those transactions was traceable to its ultimate beneficiary (or close enough).
Not long after Khoroshev was charged as the leader of LockBit, a number of open-source intelligence accounts on Telegram began extending the information released by the Treasury Department. Within hours, these sleuths had unearthed more than a dozen credit card accounts used by Khoroshev over the past decade, as well as his various bank account numbers in Russia.
The point is, this post is based on data that’s available to and verifiable by KrebsOnSecurity. Woodward & Bernstein’s source in the Watergate investigation — Deep Throat — famously told the two reporters to “follow the money.” This is always excellent advice. But these days, that can be a lot easier said than done — especially with people who a) do not wish to be found, and b) don’t exactly file annual reports.