Crime Shop Sells Hacked Logins to Other Crime Shops

/0 Comments/in /by

Up for the “Most Meta Cybercrime Offering” award this year is Accountz Club, a new cybercrime store that sells access to purloined accounts at services built for cybercriminals, including shops peddling stolen payment cards and identities, spamming tools, email and phone bombing services, and those selling authentication cookies for a slew of popular websites.

Criminals ripping off other crooks is a constant theme in the cybercrime underworld; Accountz Club’s slogan  — “the best autoshop for your favorite shops’ accounts” — just normalizes this activity by making logins stolen from users of various cybercrime shops for sale at a fraction of their account balances.

The site says it sells “cracked” accounts, or those that used passwords which could be easily guessed or enumerated by automated tools. All of the credentials being sold by Accountz provide access to services that in turn sell access to stolen information or hijacked property, as in the case of “bot shops” that resell access to infected computers.

One example is Genesis Market, where customers can search for stolen credentials and authentication cookies from a broad range of popular online destinations. Genesis even offers a custom-made web browser where you can load authentication cookies from botted PCs and waltz right into the account without having to enter a username or password or mess with multi-factor authentication.

Accountz is currently selling four different Genesis logins for about 40-50 percent of their unspent balances. Genesis mostly gets its inventory of botted computers and stolen logins from resellers who specialize in deploying infostealer malware via email and booby-trapped websites. Likewise, it appears Accountz also derives much of its stock from a handful of resellers, who presumably are the same ones doing the cybercrime service account cracking.

The Genesis bot shop.

In essence, Accountz customers are paying for illicit access to cybercrime services that sell access to compromised resources that can be abused for cybercrime. That’s seriously meta.

Accountz says its inventory is low right now but that it expects to offer a great deal more stock in the coming days. I don’t doubt that’s true, and it’s somewhat remarkable that services like this aren’t more common: From reporting my “Breadcrumbs” series on prominent cybercrime actors, it’s clear that a great many cybercriminals will use the same username and password across multiple services online.

What’s more, relatively few cybercrime shops online offer their users any sort of multi-factor authentication. That’s probably because so few customers supply their real contact information when they sign up. As a result, it is often far easier for customers to simply create a new account than it is to regain control over a hacked one, or to change a forgotten password. On top of that, most shops have only rudimentary tools for blocking automated login attempts and password cracking activity.

It will be interesting to see whether any of the cybercrime shops most heavily represented in the logins for sale at Accountz start to push back. After all, draining customer account balances and locking out users is likely to increase customer support costs for these shops, lower customer satisfaction, and perhaps even damage their reputations on the crime forums where they peddle their wares.

Oh, the horror.

PowerQuery Brings New Data Analytics Capabilities to Singularity XDR

/0 Comments/in /by

Endpoint Detection and Response (EDR) provides increased visibility and the data necessary for incident response, detection of threats, threat hunting, and investigations. As Endpoint Detection and Response (EDR) evolves to become Extended Detection and Response (XDR), the amount and types of data will only increase. Adding more data should not require more people to make sense of it. With the SentinelOne acquisition of Scalyr last year, we acquired a rich set of data analytics capabilities that we are bringing to our customers to make it faster and easier to make sense of all that data.

SentinelOne is pleased to announce advanced query capabilities from within the Singularity XDR platform that will change how our users can ask complex data questions and get back answers quickly.

Introducing PowerQuery for Singularity XDR

The SentinelOne PowerQuery interface provides a rich set of commands for summarizing, transforming, and manipulating data. You can filter data, perform computations, create groups and statistical summaries to answer complex questions.

PowerQuery allows you not just to search data, but to get powerful summaries of your data without the limits of having to dig through thousands of events manually. As customers onboard new 3rd-party data via the Singularity Marketplace, PowerQuery will enable them to join data across telemetry sources beyond EDR.

PowerQuery can be very useful when you want to:

  • Group data (Sort, Count, etc.)
  • Use Statistics as part of the query to find anomalies or start a hunt
  • Look for specific things across the environment and get back a summary (IOCs)
  • Have the flexibility to join or union two or more queries together to find the needle in the haystack faster

Key Capabilities

  • Autocomplete makes it fast and effortless to build queries without understanding the schema
  • Save and export queries via the UI or API
  • Simple data summaries make finding threats and answering questions easier and faster
  • Perform numerical, string, and time-based functions on the data
  • Data aggregation (sum, count, avg, median, min, max, percentile, etc.)
  • Support for RegEx in queries (matches)
  • Query support for arithmetic operators (+, -, *, /, %, and negation)
  • Ternary operators to perform complex logic (let SLA_Status = (latency > 3000 OR error_percentage > .2 ) ? “violation” : “ok”)

PowerQuery Commands include:

  • Filter: Support any standard data query with autocomplete to make it simple.
  • Columns: Define which columns you want in the summary table
  • Group by Functions: Aggregates records, grouping them by one or more fields and computing aggregate statistics for each group and supports functions like (sum, count, estimate_distinct, percentile, min, max
  • Join: Execute two or more subqueries and merge the results into a single table. Only the data from the records that match the query will be included in the results.
  • Limit: Cap the number of records displayed or processed by subsequent commands
  • Sort: Determine the order in which records are displayed
  • Filter: Discards records that do not match a specific condition
  • Transpose: Remove columns from a table and create a new column from its values
  • Parse: Use regex to extract columns inline.
  • Union: Executes two or more subqueries and merges the results into a single table
  • Let: Defines one or more new fields in the table

There are many use cases for PowerQuery, but to help you understand the tool’s power, we have identified some examples to demonstrate how you can build queries to provide exportable and straightforward summaries of large amounts of data.

Example 1: Conti Ransomware IOC Hunt

A traditional ransomware search may require a simple query for a file hash; this is effective if you only have a few examples or matches in your environment. If the problem is more widespread, you could get back thousands of rows of data. With PowerQuery, you can quickly summarize all the hosts where you have seen this hash with additional details all from a single query. The question is, “show me a list of all the machines where we have seen this Conti hash” – this can quickly be answered with a PowerQuery.

In this PowerQuery example, we start with a simple search for a hash, but then add additional functions to group by endpoint name, add other columns to the table for source process display name and count and then sort by largest number to smallest.

Results of a PowerQuery for a Conti hash
  • Line 1: Search for a specific SHA hash
  • Line 2: Group by event count for each endpoint and source process
  • Line 3: add columns to the table for endpoint name, source process display name, and count
  • Line 4: Sort by largest to the smallest number of events

This query gives back an easy-to-read and understandable summary of potentially millions of records across a broad time range.

Example 2: Network Connection Volume by User and Endpoint

As part of threat hunting or an investigation, it may be helpful to determine hosts that have large amounts of connections on the network. With PowerQuery, you can do statistical calculations to build a table of endpoints and users making a high number of connections.

In this example, we start with a standard query for a process user.

Network Connection Volume by User and Endpoint

Just to walk through this query line by line:

  • Line 1: Simple wildcard search for source process user
  • Line 2: Creating a group called connection_count, the sum of the src.process.netConnCount field by process user and endpoint name
  • Line 3: Add additional columns to the table for endpoint and user
  • Line 4: Sort connection_count from largest to smallest
  • Line 5: Limit the results to the top 25

We provide auto-complete to make it easy to understand available fields and what you might want to do next.

Example 3: Top Threat Indicators by Endpoint

Threat indicators can be valuable data sources for threat hunting and investigations on a host. Many threat indicators are data points that don’t always turn into threat detections. Using PowerQuery, it may be possible to identify hosts with a significant number of threat indicators to potentially identify the early stages of an attack or a breached host.

In this example, we will build a hosts table with large numbers of threat indicators.

Top Threat Indicators by Endpoint

To answer this question with a PowerQuery, we just need a few additional transformations:

  • Line 1: Search for any records that have relevant indicator categories, not “General”
  • Line 2: Create a new column named Tactic, which is equal to the indicator.category field
  • Line 3: Define columns for our table – endpoint, indicator name, and tactic
  • Line 4: Group data by indicator count for each column
  • Line 5: Filter data to endpoints that have more than 1000 indicators over the time period
  • Line 6: Sort from largest indicator count to smallest

PowerQuery Extracts More Value From Your Data

PowerQuery is the next step towards providing the data analytics capabilities you need to unlock the full potential of your EDR and XDR data. While this blog post contains three simple examples of PowerQuery, there are many different capabilities for the tool to allow novice and advanced users to get answers from their data.

Users will have much larger limits on the number of rows in the data they are querying and won’t have to export search results to CSV for further analysis. Users can easily save these queries to come back and generate updated tables within seconds or use the API to pull this data into an external application.

If you would like to learn more about PowerQueries, Singularity XDR and the SentinelOne Data platform, contact us for more information or request a free demo.

SentinelOne Singularity XDR
Supercharge. Fortify. Automate. Extend protection with unfettered visibility, proven protection, and unparalleled response.

Learn More

Fisher-Prize Space Saver High Chair – When Space Is At The Essence Of Our Everyday Living

/0 Comments/in /by

Fisher-Price has been a good name in the baby products industry for quite some time now. They are known to produce high-quality products that are safe, durable, and efficient. The Fisher-Price Space Saver High Chair is one of these products that have managed to establish itself as a part of our daily lives.

About Fisher-Prize Space Saver High Chair

The Fisher-Price SpaceSaver High Chair is one of the most popular high chairs in Europe and the US, which allows you to keep your child closer when they need it most: because a full-size high chair is too big for a tiny apartment or a small space in a guest room. But a regular booster seat isn’t safe enough when they start to feed themselves.

When the Fisher-Price high chair was introduced in 2009, it quickly landed on top of the ‘must have’ lists for moms with mobile little ones who prefer to roam around when eating.

The Fisher-Price Space Saver High Chair is simple to use, super safe, and it’s easy to clean. It also comes in a variety of colors so you can find the perfect match for your décor. But let’s take a closer look at this great device:
From a safety point of view, the Fisher-Price Space Saver High Chair has many features that make it safe for you and your child. The five-point harness keeps the baby safely in place while feeding themselves or being fed by others, so there is no need to worry.

You can choose from three different height settings according to what is comfortable for you when using this high chair which makes it easy on your back, and the adjustable tray is removable so you can clean it easily. The Fisher-Price Space Saver High Chair is also easy to transport from home to a grandparent’s house or even on holiday, making it one of the best high chairs for travel.

The size of this chair makes it possible to keep your baby close while they are eating or playing on their own. This means that you can enjoy your meals together while at the same time keeping an eye on them to make sure they are safe and happy.

From a practical point of view, having a high chair in your dining room is not ideal when you have little space. But with this baby device, you don’t sacrifice safety for life’s area because the Fisher-Price Space Saver High Chair only takes a little corner of your dining room.

The price of this product is very reasonable, and it’s more affordable than some other high chairs, which makes it also good value for money compared to others on the market. Some people opt for another type of chair like a booster seat because they don’t want to spend so much, but when you think about is this the safest option for your child? The fact that Fisher-Price has considered all this when designing this product is evident.

There are some disadvantages to owning this chair. One of which is that it can be a bit tricky to assemble, and another is that some people find it hard to adjust the height settings. But considering its many benefits, I think this device is definitely worth having in your home.

If you are thinking about purchasing a high chair for your baby, then you should take a good look at the Fisher-Price Space Saver High Chair. It’s easy to use, has excellent features, and does the job perfectly.

The Fisher-Price Space Saver High Chair is a baby feeding chair that fits seamlessly into your modern-day family life. The chair’s design was in direct response to moms who wanted convenience and simplicity without compromising on safety, comfort, or style for their babies.

The Fisher-Price Space Saver High Chair features:

  • Adjustable seat: 2 height adjustments & 3 recline positions
  • Machine-washable seat pad
  • Dishwasher-safe, segmented tray
  • Reusable tray liner
  • Safety harness
  • Toddler booster mode

Is The Fisher-Price Space Saver High Chair worth it?

The Fisher-Price Space Saver High Chair is easy to clean and has adjustable heights and reclines, making it practical for feeding or playing. The price is reasonable compared to other chairs with the same features.

Space Saver High Chair has a removable dishwasher tray and a 3-point harness system that keeps your baby safe and secure. While the baby is seated, a deep seat with soft polyester fabric, a machine-washable seat pad, a 5-point restraint belt for securing the child into the booster seat, and an adjustable height feature that allows you to bring the tray table to your baby.

The Fisher-Price Space Saver High Chair folds down flat for storage or travel. You can use this chair until your little one reaches up to 35 pounds, usually around 1 year of age. The Fisher-Price Space Saver High Chair will give you many years of enjoyment and help to feed your little one in complete safety and comfort.

This high chair is recommended by pediatricians and moms due to its safety standards & compact size. But some parents had issues with the height settings and putting it together.

However, we think that considering all the pros and some minor cons, this chair is still worth having in your home. And if you’re looking for a high chair without all those extra bells & whistles, then this may be something to consider for your family.

If this sounds just like what you have been looking for, don’t wait any longer! Buy the ultimate high chair from Amazon and enjoy your baby feeding time to the fullest!

Check The Price On Amazon

How to assemble The Fisher-Price Space Saver High Chair

Assembling the Fisher-Price Space Saver High Chair can be a pain if you don’t know what you are doing. It’s not rocket science, but every little part of this device must be in its place.

This is what you need to do to assemble the chair:

  1. Place the seat pad on top of the metal frame and push the two pieces together to attach them.
  2. Place the shoulder straps in between the seat pad and metal frame to connect them.
  3. Feed both armrests through the holes on the back of the metal frame, and you should hear a ‘click’ sound indicating that they are firmly attached.
  4. Make sure that all joints and bolts are correctly tightened.

Now that your chair is assembled, you can start using it as soon as possible. You just have to put the adjustable tray in place and strap your child in with the safety buckle.

Our opinion on Fisher-Price Space Saver High Chair

The Fisher-Price Space Saver High Chair is a great product. It’s simple and does what it’s supposed to do well. Is there anything else to say? We love this baby chair because it allows you to eat dinner as a family without sacrificing your child’s safety. After all, the most important thing is that they are secure and happy.

A quick look on some websites that I trust for buying baby gear reveals a fantastic 95% of very positive reviews, which is definitely a good score, showing how much people love this product.

We love this high chair because it is the perfect solution for small homes, as well as a great alternative to standard high chairs or those bulky baby feeding gadgets that take up too much space. The Fisher-Price Space Saver High Chair is safe and easy to use, so I highly recommend it.

The post Fisher-Prize Space Saver High Chair – When Space Is At The Essence Of Our Everyday Living appeared first on Comfy Bummy.

IRS Will Soon Require Selfies for Online Access

/0 Comments/in /by

If you created an online account to manage your tax records with the U.S. Internal Revenue Service (IRS), those login credentials will cease to work later this year. The agency says that by the summer of 2022, the only way to log in to irs.gov will be through ID.me, an online identity verification service that requires applicants to submit copies of bills and identity documents, as well as a live video feed of their faces via a mobile device.

The IRS says it will require ID.me for all logins later this summer.

McLean, Va.-based ID.me was originally launched in 2010 with the goal of helping e-commerce sites validate the identities of customers who might be eligible for discounts at various retail establishments, such as veterans, teachers, students, nurses and first responders.

These days, ID.me is perhaps better known as the online identity verification service that many states now use to help staunch the loss of billions of dollars in unemployment insurance and pandemic assistance stolen each year by identity thieves. The privately-held company says it has approximately 64 million users, and gains roughly 145,000 new users each day.

Some 27 states already use ID.me to screen for identity thieves applying for benefits in someone else’s name, and now the IRS is joining them. The service requires applicants to supply a great deal more information than typically requested for online verification schemes, such as scans of their driver’s license or other government-issued ID, copies of utility or insurance bills, and details about their mobile phone service.

When an applicant doesn’t have one or more of the above — or if something about their application triggers potential fraud flags — ID.me may require a recorded, live video chat with the person applying for benefits.

Since my credentials at the IRS will soon no longer work, I opted to create an ID.me account and share the experience here. An important preface to this walk-through is that verifying one’s self with Id.me requires one to be able to take a live, video selfie — either with the camera on a mobile device or a webcam attached to a computer (your webcam must be able to open on the device you’re using to apply for the ID.me account).

Also, successfully verifying your identity with ID.me may require a significant investment of time, and quite a bit of patience. For example, stepping away from one part of the many-step application process for a little more than five minutes necessitated another login, and then the re-submission of documents I’d previously uploaded.

After entering an email address and picking a password, you are prompted to confirm your email address by clicking a link sent to that address. After confirmation, ID.me prompts users to choose a multi-factor authentication (MFA) option.

The MFA options range from a six-digit code sent via text message or phone call to code generator apps and FIDO Security Keys. ID.me even suggests using its own branded one-time code generating app, which can “push” a prompt to your mobile device for you to approve whenever you log in. I went with and would encourage others to use the strongest MFA option — a physical Security Key. For more on the benefits of using a Security Key for MFA, see this post.

When the MFA option is verified, the system produces a one-time backup code and suggests you save that in a safe place in case your chosen MFA option is unavailable the next time you try to use a service that requires ID.me.

Next, applicants are asked to upload images of their driver’s license, state-issued ID, or passport — either via a saved file or by scanning them with a webcam or mobile device.

If your documents get accepted, ID.me will then prompt you to take a live selfie with your mobile device or webcam. That took several attempts. When my computer’s camera produced an acceptable result, ID.me said it was comparing the output to the images on my driver’s license scans.

After this, ID.me requires the verification of your phone number, which means they will ask your mobile or landline provider to validate you are indeed an existing, paying customer who can be reached at that number. ID.me says it currently does not accept phone numbers tied to voice-over-IP services like Google Voice and Skype.

My application got stuck interminably at the “Confirming Your Phone” stage, which is somewhere near the middle of the entire verification process.

An email to ID.me’s support people generated a message with a link to complete the verification process via a live video chat. Unfortunately, clicking that link brought up prompts to re-upload all of the information I’d already supplied, and then some.

Some of the primary and secondary documents requested by ID.me.

For example, completing the process requires submitting at least two secondary identification documents, such as as a Social Security card, a birth certificate, health insurance card, W-2 form, electric bill, or financial institution statement.

After re-uploading all of this information, ID.me’s system prompted me to “Please stay on this screen to join video call.” However, the estimated wait time when that message first popped up said “3 hours and 27 minutes.”

I appreciate that ID.me’s system relies on real human beings seeking to interview applicants in real-time, and that not all of those representatives can be expected to handle all of these immediately. And I get that slowing things down is an important part of defeating identity fraudsters who are seeking to exploit automated identity verification systems that largely rely on static data about consumers.

That said, I started this “Meet an agent” process at around 9:30 in the evening, and I wasn’t particularly looking forward to staying up until midnight to complete it. But not long after the message about waiting 3 hours came up, I got a phone call from an ID.me technician who was CC’d on my original email to ID.me’s founder. Against my repeated protests that I wanted to wait my turn like everyone else, he said he would handle the process himself.

Sure enough, a minute later I was connected with the ID.me support person, who finished the verification in a video phone call. That took about one minute. But for anyone who fails the automated signup, count on spending several hours getting verified.

When my application was finally approved, I headed back to irs.gov and proceeded to log in with my new ID.me account. After granting the IRS access to the personal data I’d shared with ID.me, I was looking at my most recent tax data on the IRS website.

I was somewhat concerned that my ID verification might fail because I have a security freeze on my credit file with the three major consumer credit bureaus. But at no time during my application process did ID.me even mention the need to lift or thaw that security freeze to complete the authentication process.

The IRS previously relied upon Equifax for its identity proofing process, and even then anyone with frozen credit files had to lift the freeze to make it through the IRS’s legacy authentication system. For several years, the result of that reliance was that ID thieves massively abused the IRS’s own website to impersonate taxpayers, view their confidential tax records, and ultimately obtain fraudulent tax refunds in their names.

The IRS canceled its “taxpayer identity” contract with Equifax in October 2017, after the credit bureau disclosed that a failure to patch a four-month-old zero-day security flaw led to the theft of Social Security numbers and personal and financial information on 148 million Americans.

Perhaps in light of that 2017 megabreach, many readers will be rightfully concerned about being forced to provide so much sensitive information to a relatively unknown private company. KrebsOnSecurity spoke with ID.me founder and CEO Blake Hall in last year’s story, How $100 Million in Jobless Claims Went to Inmates. I asked Hall what ID.me does to secure all this sensitive information it collects, which would no doubt serve as an enticing target for hackers and identity thieves.

Hall said ID.me is certified against the NIST 800-63-3 digital identity guidelines, employs multiple layers of security, and fully segregates static consumer data tied to a validated identity from a token used to represent that identity.

“We take a defense-in-depth approach, with partitioned networks, and use very sophisticated encryption scheme so that when and if there is a breach, this stuff is firewalled,” Hall said. “You’d have to compromise the tokens at scale and not just the database. We encrypt all that stuff down to the file level with keys that rotate and expire every 24 hours. And once we’ve verified you we don’t need that data about you on an ongoing basis.”

ID.me’s privacy policy states that if you sign up for ID.me “in connection with legal identity verification or a government agency we will not use your verification information for any type of marketing or promotional purposes.”

Signing up at ID.me requires users to approve a biometric data policy that states the company will not sell, lease, or trade your biometric data to any third parties or seek to derive any profit from that information. ID.me says users can delete their biometric data at any time, but there was no apparent option to do so when I logged straight into my new account at ID.me.

When I asked the support technician who conducted the video interview to remove my biometric data, he sent me a link to a process for deleting one’s ID.me account. So, it seems that removing one’s data from ID.me post-verification equals deleting one’s account, and potentially having to re-register at some point in the future.

Over the years, I’ve tried to stress the importance of creating accounts online tied to your various identity, financial and communications services before identity thieves do it for you. But all of those places where you should “Plant Your Flag” conduct identity verification in an automated fashion, using entirely static data points about consumers that have been breached many times over (SSNs, DoBs, etc).

Love it or hate it, ID.me is likely to become one of those places where Americans need to plant their flag and mark their territory, if for no other reason than it will probably be needed at some point to manage your relationship with the federal government and/or your state. And given the potential time investment needed to successfully create an ID.me account, it might be a good idea to do that before you’re forced to do so at the last minute (such as waiting until the eleventh hour to pay your quarterly or annual estimated taxes).

If you’ve visited the sign-in page at the U.S. Social Security Administration (SSA) lately, you’ll notice that on or around Sept. 18, 2021 the agency stopped allowing new accounts to be created with only a username and password. Anyone seeking to create an account at the SSA is now steered toward either ID.me or Login.gov, a single sign-on solution for U.S. government websites.

At Request of U.S., Russia Rounds Up 14 REvil Ransomware Affiliates

/0 Comments/in /by

The Russian government said today it arrested 14 people accused of working for “REvil,” a particularly aggressive ransomware group that has extorted hundreds of millions of dollars from victim organizations. The Russian Federal Security Service (FSB) said the actions were taken in response to a request from U.S. officials, but many experts believe the crackdown is part of an effort to reduce tensions over Russian President Vladimir Putin’s decision to station 100,000 troops along the nation’s border with Ukraine.

The FSB headquarters at Lubyanka Square, Moscow. Image: Wikipedia.

The FSB said it arrested 14 REvil ransomware members, and searched more than two dozen addresses in Moscow, St. Petersburg, Leningrad and Lipetsk. As part of the raids, the FSB seized more than $600,000 US dollars, 426 million rubles (~$USD 5.5 million), 500,000 euros, and 20 “premium cars” purchased with funds obtained from cybercrime.

“The search activities were based on the appeal of the US authorities, who reported on the leader of the criminal community and his involvement in encroaching on the information resources of foreign high-tech companies by introducing malicious software, encrypting information and extorting money for its decryption,” the FSB said. “Representatives of the US competent authorities have been informed about the results of the operation.”

The FSB did not release the names of any of the individuals arrested, although a report from the Russian news agency TASS mentions two defendants: Roman Gennadyevich Muromsky, and Andrey Sergeevich Bessonov. Russian media outlet RIA Novosti released video footage from some of the raids:

REvil is widely thought to be a reincarnation of GandCrab, a Russian-language ransomware affiliate program that bragged of stealing more than $2 billion when it closed up shop in the summer of 2019. For roughly the next two years, REvil’s “Happy Blog” would churn out press releases naming and shaming dozens of new victims each week. A February 2021 analysis from researchers at IBM found the REvil gang earned more than $120 million in 2020 alone.

But all that changed last summer, when REvil associates working with another ransomware group — DarkSide — attacked Colonial Pipeline, causing fuel shortages and price spikes across the United States. Just months later, a multi-country law enforcement operation allowed investigators to hack into the REvil gang’s operations and force the group offline.

In November 2021, Europol announced it arrested seven REvil affliates who collectively made more than $230 million worth of ransom demands since 2019. At the same time, U.S. authorities unsealed two indictments against a pair of accused REvil cybercriminals, which referred to the men as “REvil Affiliate #22” and “REvil Affiliate #23.”

It is clear that U.S. authorities have known for some time the real names of REvil’s top captains and moneymakers. Last fall, President Biden told Putin that he expects Russia to act when the United States shares information on specific Russians involved in ransomware activity.

So why now? Russia has amassed approximately 100,000 troops along its southern border with Ukraine, and diplomatic efforts to defuse the situation have reportedly broken down. The Washington Post and other media outlets today report that the Biden administration has accused Moscow of sending saboteurs into Eastern Ukraine to stage an incident that could give Putin a pretext for ordering an invasion.

“The most interesting thing about these arrests is the timing,” said Kevin Breen, director of threat research at Immersive Labs. “For years, Russian Government policy on cybercriminals has been less than proactive to say the least. With Russia and the US currently at the diplomatic table, these arrests are likely part of a far wider, multi-layered, political negotiation.”

President Biden has warned that Russia can expect severe sanctions should it choose to invade Ukraine. But Putin in turn has said such sanctions could cause a complete break in diplomatic relations between the two countries.

Dmitri Alperovitch, co-founder of and former chief technology officer for the security firm CrowdStrike, called the REvil arrests in Russia “ransomware diplomacy.”

“This is Russian ransomware diplomacy,” Alperovitch said on Twitter. “It is a signal to the United States — if you don’t enact severe sanctions against us for invasion of Ukraine, we will continue to cooperate with you on ransomware investigations.”

The REvil arrests were announced as many government websites in Ukraine were defaced by hackers with an ominous message warning Ukrainians that their personal data was being uploaded to the Internet. “Be afraid and expect the worst,” the message warned.

Experts say there is good reason for Ukraine to be afraid. Ukraine has long been used as the testing grounds for Russian offensive hacking capabilities. State-backed Russian hackers have been blamed for the Dec. 23, 2015 cyberattack on Ukraine’s power grid that left 230,000 customers shivering in the dark.

The warning left behind on Ukrainian government websites that were defaced in the last 24 hours. The same statement is written in Ukrainian, Russian and Polish.

Russia also has been suspected of releasing NotPetya, a large-scale cyberattack initially aimed at Ukrainian businesses that ended up creating an extremely disruptive and expensive global malware outbreak.

Although there has been no clear attribution of these latest attacks to Russia, there is reason to suspect Russia’s hand, said David Salvo, deputy director of The Alliance for Securing Democracy.

“These are tried and true Russian tactics. Russia used cyber operations and information operations in the run-up to its invasion of Georgia in 2008. It has long waged massive cyberattacks against Ukrainian infrastructure, as well as information operations targeting Ukrainian soldiers and Ukrainian citizens. And it is completely unsurprising that it would use these tactics now when it is clear Moscow is looking for any pretext to invade Ukraine again and cast blame on the West in its typical cynical fashion.”

The Good, the Bad and the Ugly in Cybersecurity – Week 2

/0 Comments/in /by

The Good

Cyber cops in the Ukraine assisted by US and UK law enforcement officers have this week bust a ransomware gang that is believed to have caused losses of around $1 million to more than 50 American and European businesses.

According to the Cyberpolice of Ukraine, a husband-and-wife team from Kyiv aided by three accomplices used malspam to breach companies and infect them with ransomware. The gang also offered IP anonymization services to other cyber criminals and stole banking credentials from UK consumers. These were subsequently used to purchase goods from online stores, which were later resold for cash.

The gang no doubt believed they were on to a good thing until the cops raided their homes and confiscated three cars along with multiple computers, phones, bank cards and flash drives. The five individuals will be charged with offenses related to computer misuse, the use, distribution or sale of malicious software or hardware, and money laundering. As the gang had contacts with other international cyber criminals, there is the potential for further arrests down the road, and police say the investigation is ongoing.

The Bad

While it’s great to see the police take down one ransomware gang, plenty of others are still running amok. This week has seen a number of other successful attacks impacting businesses.

Among those affected are Netherlands’ Game Mania, which was hit in the early hours of Monday morning with a ransomware attack and data breach. Attackers gained access to a server containing company data, including customer PII, as well as deploying an unnamed ransomware. While the company says its business activities remain unaffected, they are warning customers to be vigilant of phishing scams and unsolicited emails demanding money.

Wednesday saw another attack on US critical infrastructure. Last week it was an Albuquerque jail, this week it’s the education sector. Albuquerque Public Schools were forced to cancel classes in around 31 schools after teachers discovered the attack prevented them from accessing the APS student information system, which is used to record attendance, grades and other student information.

In a stark reminder of the true costs of ransomware, this week also saw Houston-based United Structures of America, Inc, which fabricates and designs steel structures for use in buildings and other applications, file for bankruptcy as a consequence of a ransomware attack back in 2019. The attackers erased the company’s financial records and technical software and demanded a ransom for return of the data. Although the company paid the ransom, the attackers did not fulfill their end of the bargain and the data was never returned. As a result, the company, which at one time had brought in revenue in excess of $100 million, was forced to start winding down its operations.

The Ugly

Software development and bugs go hand-in-hand, which is why many vendors offer bug bounty programs so that external researchers can help spot problems the developers may not have foreseen. And while despite that there are still some really bad bugs out there that remain unpatched, things really start to turn ugly when it turns out that a piece of security software has had a known but unpatched bypass for eight years.

The bug? It turns out Microsoft Defender allows unprivileged users to look-up any locally excluded paths. Even if an admin hasn’t created any exclusions, certain software installations and server configurations can result in some paths being automatically excluded. If an attacker has local access, they can look up these excluded paths and drop their malware at paths that Defender will ignore. Researchers this week tested the theory with a sample of Conti ransomware, encrypting the device while Defender sat idly by.

For enterprises relying on Defender to protect their servers and other endpoints, this is a gaping security hole. While an attacker does need a foothold, they don’t need privileges, and with plenty of other RCEs available at the moment, it really is past time that enterprises started looking beyond OS vendors for effective defense of their endpoints and networks.

Toddler wooden chair – cute and worth your trust!

/0 Comments/in /by

There is nothing better than a classic, trusty wooden chair when you need a place for your child to sit. Made of natural materials and can take the significant weight, easy to clean with a damp cloth – you can’t go wrong with this.

As a parent, the biggest problem that you may come across is to find a reliable toddler wooden chair. It is much likely that you will find various ones in the market, but it may be confusing to choose which one would suit your kid’s needs.

You don’t need to worry, as we have compiled all the necessary information about toddler wooden chairs and their pros and cons here. First, let us start with what to consider when buying a wooden chair for your toddler.

Things To Consider Before Buying A Wooden Toddler Chair

You may find many stylish and durable toddler wooden chairs, but it’s crucial to keep certain things in your mind before buying one.

• Your kid’s comfort. Make sure that the seat is deep enough to accommodate your toddler. The bottom of the chair must be sturdy to bear heavy pressure on it.

• Durability. The wooden toddler chair should be sturdy and long-lasting so that your child can use it for many years without any problem. A strong base is advisable because the child’s weight will be on the chair, so avoid chairs made up of plastic or metal as they are not durable. The wooden one is best as it can be used for many years.

• Material. Wooden toddler chairs are much durable and comfortable, so that’s the reason most of the parents prefer buying a wooden one rather than other types. There are various kinds of woods available in the market but go for ones with veneer as it is more durable and long-lasting.

• Price. You may find many wooden toddler chairs within your budget, so do not worry about the price.

These are some tips that you need to consider before buying a wooden toddler chair for your child. It not only allows cherishing with your kid but also develops various skills in them like creativity and independence.

Best wooden chairs for your toddler

Do you want to buy a wooden toddler chair for your child? Here are some of the best ones available in the market.

Famobay Bunny Ears Wooden Toddler Chair

Just look how cute is this toddler chair! The backrest shaped like bunny ears is an adorable feature for little ones. It is made of solid and smooth wooden construction, making it long-lasting and sturdy.

Based on its innovative design, you would think that this toddler chair would be much more expensive than any other option on the market. However, it is not the case here!

This bunny ears toddler chair is available on Amazon at a very reasonable price. It is solid, durable, and easy to keep clean, making it the best choice for your household.

Famobay Antlers Wooden Toddler Chair

If you like Bunny Ears Toddler Wooden Chair, you will be happy to learn that another similar toddler chair is available. This time its design is based on antlers to make your little one feel like a wild animal.

Like the previous product, this antlers toddler chair is made of natural smooth wood, making it very durable. It can carry heavyweight up to 400 lbs, which you can’t say about other products on the market. There is no doubt that your child can use this chair for many years.

Melissa & Doug Wooden Chairs, Set of 2

Melissa & Doug’s kids’ furniture is the way to go for those wanting a simple and classic design for kids’ room. The playroom chairs set was created with safety in mind – something Melissa & Doug is well-known for. The chairs feature a reinforced, tip-resistant design.

They are made from durable wood, with materials that hold up to 100 pounds. The Melissa & Doug Solid Wood Chairs set makes an excellent gift for kids from 3 to 8 years old.

Toddler Chair CXRYLZ

If you like a simple design but still wish to bring your toddler a little bit of color, take a look at this chair. This little chair is made of wood and will surely look lovely in any kids’ room. It also has round edges, which are much safer for your toddler than sharp ones.

This chair is so cute, you might not want to give it away when your kid grows up! Beautiful colors are not the only thing that makes this chair so unique. It is also made of quality materials which make it durable and long-lasting.

Its compact size will help you fit it almost anywhere in your house, even if you have limited space for kids’ furniture: 25cm/10in legs, 30 x 30cm/12” x 12” seat surface, and 26.5 x 20cm/10.5” x 7.9” backrest. This cutie can hold up to 250 lbs.

HOUCHICS Wooden Toddler Chair

Unique toddler wooden chair! This piece has a curved back to better protect your child from being injured by the prismatic edge of the wooden stool. It is not only for safety reasons but also to give your child a more comfortable sitting position.

This toddler chair has an additional feature of non-slip pads that will help prevent the stool from sliding on the floor surface. You can also adjust its height depending on what you need at the moment.

The HOUCHICS Wooden Toddler Chair is very easy to clean – you can use a damp cloth and soap. A wide handle at the back provides a comfortable grip to lift the toddler chair off the floor.

It’s suitable for children from 3 years of age up to 6-7 years. Be sure that your child will be comfortable sitting on this stool!

iPlay iLearn 10 Inch Kids Solid Hard Wood Animal Chair

Cute animal chairs with vivid, engaging characters are appealing and attractive to children aged 2 and up. Not only will your child be excited to sit on the iPlay iLearn animal chairs, but they will be learning at the same time.

Each chair has a sturdy 10-inch solid wood base designed to prevent tipping when your child leans against it. The triangular structure of the chair legs helps prevent tipping, and anti-slip pads on each leg prevent falls.

The iPlay iLearn chairs can be stacked for easy storage, and they are made of 100% natural smooth hardwood. They are hand-painted with non-toxic paints to ensure complete safety.

This is the perfect gift for toddlers aged 2-4! Parents love it because it is sturdy, safe, and easy to clean; kids love them because of the vibrant colors and animal characters. Among the patterns, you’ll find a giraffe visible above, a frog, and a cow.

Why is it necessary to buy a wooden toddler chair?

As we all know, kids look forward to spending time with their parents and if you can encourage them to spend more time on furniture, then do it as soon as possible. As a parent, you must have noticed that your child prefers being beside you rather than playing alone. It’s a sign that your child wants to spend more time with you, which is absolutely normal.

The best way to encourage them is to buy them a wooden toddler chair because it would allow your child to sit beside you and enjoy being together while reading books or watching exhibits on display cabinets. This can be good practice for your child to be more responsible and understand the concept of time, as it also encourages them to play independently.

Children prefer wooden chairs because they are much comfortable than other types. They like splashing colors in their surrounding, so if you buy a wooden toddler chair in vibrant color, your child will love it. A wooden toddler chair is the best way to encourage your child and develop their creative side.

Apart from all these benefits, toddlers learn many things by watching us, so if you want them to become responsible and obedient in the future, teach them how to sit correctly on a wooden toddler chair. They will get an idea about sitting straight, and it would be beneficial for them in the future.

The post Toddler wooden chair – cute and worth your trust! appeared first on Comfy Bummy.

Rapid Response with XDR One-Click Remediations

/0 Comments/in /by

Responding to a cyber threat takes time as defenders want to do more than merely stop malicious threats; they also need to ensure any compromised identities or accounts are restored, that any lingering phishing emails sitting in inboxes ready to re-detonate and restart the attack are cleaned up, that if vulnerable software was involved it’s patched or removed from endpoints, and the list goes on.

For years now, the only way to do this efficiently was via a SOAR, and that required high costs and usually additional headcount to build and maintain the playbooks. All this led to a very ‘human-centric’ manual response process, which added up to a longer containment and response time.

XDR was made to solve problems like these. Singularity XDR unifies and extends detection, investigation and response capability across the entire enterprise, providing security teams with centralized end-to-end enterprise visibility, powerful analytics, and automatable response across the technology stack – making every security workflow faster, more effective and more accurate.

Recently, we introduced XDR apps for response that take this approach to the next level with one-click remediations. Let’s find out more.

XDR Response Actions for One-Click Remediation

Our recent launch of additional XDR apps for response is an XDR milestone that will continue to strengthen Singularity XDR. With XDR Response actions, a user can drop an API Key into our Marketplace, choose the automatic actions and conditions they desire, and SentinelOne will do the rest.

This kind of response can take an action in seconds that would have otherwise taken minutes or required opening a ticket and waiting.

Take the act of resetting a user’s password and expiring their sessions. Most SOC analysts don’t have access to the proper Identity Provider portals (IdPs) to do this as the identity team doesn’t want to add the entire SOC to the portal. At best, it would have required the identity team creating very specific RBAC roles in AD, Okta, etc to have security roles. Without access, the analyst must open a ticket and wait. With XDR, there’s a button for that. Where is it? Right in the threat.

XDR Response actions are the single click that can stop expansion. If an analyst finds a threat where an internal user’s credentials have been used to log into email and send phishing links, XDR can suspend the user’s email access or just block the hash from being passed around. Until the credentials can be trusted again, that analyst can also move the user to a more restrictive SASE policy to ensure data like financial results and intellectual property stored in cloud apps are protected.

How Does It Work?

The identity team provides the SentinelOne admin an API key which is then input into the Marketplace. The key can be broadly permissive or purpose fit to ensure least privilege just for the SentinelOne XDR use cases.

Next, the user selects which integrations to turn on and which to leave disabled. They then select if the action should happen on all threats or just those SentinelOne has higher confidence on as being malicious. The user is now done with configuration.

The app they selected is pre-programmed with all the logic needed. The next time a matching threat pops up, SentinelOne will automatically take the chosen action.

For admins that want to allow analysts to evaluate threats before taking actions, manual actions can be enabled in the same Marketplace flow. Manual actions allow admins to browse a list of all enabled XDR actions to remediate a threat across the stack, whether it be banning a hash, a user, or an IP address.

This keeps the analyst in the loop before actions are taken while still helping accelerate remediation to minutes instead of hours or even days when there are dependencies on another team.

XDR Offers Greater Flexibility Than a SOAR

While a SOAR can be a tremendous tool for those who have the budget and staff, XDR is the turnkey tool that allows more teams to adopt orchestration. SOAR playbooks can run highly customized flows but maintaining them as processes and tools change has proved a barrier or unsustainable for many.

Enabling a list of automatic actions or manually selecting them from a threat triage model is the flexible approach that enables every team of every size to be more efficient and effective.

What Triggered This Innovation, Why Now?

This technological leap is arriving now because of the need to streamline security workflows, consolidate various tools in the SOC while rapidly responding to remediate threats across the enterprise. While partnerships and Marketplaces have been done before, they’ve never been done with this level of deeper, frictionless integration.

XDR requires vendors to work together to build integrations that go deeper and broader. We’ve found the market is ready to partner and that’s why we’ve taken a “native and open” approach to XDR, offering many solutions on our platform while partnering with best-in-class vendors from across the stack.

XDR is the result of a better understanding of how teams work and what fits budgets. Security is trending in the direction of tools that give teams flexibility without requiring them to build and maintain complex logic or code.

The market has been waiting for simple security that saves teams time and money without a large upfront investment. Technology, partnership, and knowledge have all converged to bring security into the next generation.

Conclusion

With XDR apps for response and one-click remediations, Singularity XDR and Singularity Marketplace continue to expand, offering deeper, more effective integrations that simplify the remediation cycle.

Automated actions are available today and will become more nuanced in how and when they are automatically invoked as our partners create new APIs for us to integrate with, to go deeper into their products, and unlock the full value of every layer in the stack to mitigate and remediate threats.

Interested in learning more? Read about our open approach to XDR that allows for connecting best-in-class products. Want to see how XDR works for your organization? Contact us or request a free Singularity XDR demo.

SentinelOne Singularity XDR
Supercharge. Fortify. Automate. Extend protection with unfettered visibility, proven protection, and unparalleled response.

Learn More

‘Wormable’ Flaw Leads January 2022 Patch Tuesday

/0 Comments/in /by

Microsoft today released updates to plug nearly 120 security holes in Windows and supported software. Six of the vulnerabilities were publicly detailed already, potentially giving attackers a head start in figuring out how to exploit them in unpatched systems. More concerning, Microsoft warns that one of the flaws fixed this month is “wormable,” meaning no human interaction would be required for an attack to spread from one vulnerable Windows box to another.

Nine of the vulnerabilities fixed in this month’s Patch Tuesday received Microsoft’s “critical” rating, meaning malware or miscreants can exploit them to gain remote access to vulnerable Windows systems through no help from the user.

By all accounts, the most severe flaw addressed today is CVE-2022-21907, a critical, remote code execution flaw in the “HTTP Protocol Stack.” Microsoft says the flaw affects Windows 10 and Windows 11, as well as Server 2019 and Server 2022.

“While this is definitely more server-centric, remember that Windows clients can also run http.sys, so all affected versions are affected by this bug,” said Dustin Childs from Trend Micro’s Zero Day Initiative. “Test and deploy this patch quickly.”

Quickly indeed. In May 2021, Microsoft patched a similarly critical and wormable vulnerability in the HTTP Protocol Stack; less than a week later, computer code made to exploit the flaw was posted online.

Microsoft also fixed three more remote code execution flaws in Exchange Server, a technology that hundreds of thousands of organizations worldwide use to manage their email. Exchange flaws are a major target of malicious hackers. Almost a year ago, hundreds of thousands of Exchange servers worldwide were compromised by malware after attackers started mass-exploiting four zero-day flaws in Exchange.

Microsoft says the limiting factor with these three newly found Exchange flaws is that an attacker would need to be tied to the target’s network somehow to exploit them. But Satnam Narang at Tenable notes Microsoft has labeled all three Exchange flaws as “exploitation more likely.”

“One of the flaws, CVE-2022-21846, was disclosed to Microsoft by the National Security Agency,” Narang said. “Despite the rating, Microsoft notes the attack vector is adjacent, meaning exploitation will require more legwork for an attacker, unlike the ProxyLogon and ProxyShell vulnerabilities which were remotely exploitable.”

Security firm Rapid7 points out that roughly a quarter of the security updates this month address vulnerabilities in Microsoft’s Edge browser via Chromium.

“None of these have yet been seen exploited in the wild, though six were publicly disclosed prior to today,” Rapid7’s Greg Wiseman said. “This includes two Remote Code Execution vulnerabilities affecting open source libraries that are bundled with more recent versions of Windows: CVE-2021-22947, which affects the curl library, and CVE-2021-36976 which affects libarchive.”

Wiseman said slightly less scary than the HTTP Protocol Stack vulnerability is CVE-2022-21840, which affects all supported versions of Office, as well as Sharepoint Server.

“Exploitation would require social engineering to entice a victim to open an attachment or visit a malicious website,” he said. “Thankfully the Windows preview pane is not a vector for this attack.”

Other patches include fixes for .NET Framework, Microsoft Dynamics, Windows Hyper-V, Windows Defender, and the Windows Remote Desktop Protocol (RDP). As usual, the SANS Internet Storm Center has a per-patch breakdown by severity and impact.

Standard disclaimer: Before you update Windows, please make sure you have backed up your system and/or important files. It’s not uncommon for a Windows update package to hose one’s system or prevent it from booting properly, and some updates have been known to erase or corrupt files.

So do yourself a favor and backup before installing any patches. Windows 10 even has some built-in tools to help you do that, either on a per-file/folder basis or by making a complete and bootable copy of your hard drive all at once.

And if you wish to ensure Windows has been set to pause updating so you can back up your files and/or system before the operating system decides to reboot and install patches on its own schedule, see this guide.

If you experience glitches or problems installing any of these patches this month, please consider leaving a comment about it below; there’s a decent chance other readers have experienced the same and may chime in here with useful tips.

Update, Jan. 12, 9:02 a.m.: Apparently some of the updates Microsoft released yesterday — KB5009557 (2019) and KB5009555 (2022) — are causing something to fail on domain controllers, which then keep rebooting every few minutes. That’s according to this growing thread on Reddit (hat tip to @campuscodi).

Who is the Network Access Broker ‘Wazawaka?’

/0 Comments/in /by

In a great many ransomware attacks, the criminals who pillage the victim’s network are not the same crooks who gained the initial access to the victim organization. More commonly, the infected PC or stolen VPN credentials the gang used to break in were purchased from a cybercriminal middleman known as an initial access broker. This post examines some of the clues left behind by “Wazawaka,” the hacker handle chosen by a major access broker in the Russian-speaking cybercrime scene.

Wazawaka has been a highly active member of multiple cybercrime forums over the past decade, but his favorite is the Russian-language community Exploit. Wazawaka spent his early days on Exploit and other forums selling distributed denial-of-service (DDoS) attacks that could knock websites offline for about USD $80 a day. But in more recent years, Wazawaka has focused on peddling access to organizations and to databases stolen from hacked companies.

“Come, rob, and get dough!,” reads a thread started by Wazawaka on Exploit in March 2020, in which he sold access to a Chinese company with more than $10 billion in annual revenues. “Show them who is boss.”

According to their posts on Exploit, Wazawaka has worked with at least two different ransomware affiliate programs, including LockBit. Wazawaka said LockBit had paid him roughly $500,000 in commissions for the six months leading up to September 2020.

Wazawaka also said he’d teamed up with DarkSide, the ransomware affiliate group responsible for the six-day outage at Colonial Pipeline last year that caused nationwide fuel shortages and price spikes. The U.S. Department of State has since offered a $5 million reward for information leading to the arrest and conviction of any DarkSide affiliates.

Wazawaka seems to have adopted the uniquely communitarian view that when organizations being held for ransom decline to cooperate or pay up, any data stolen from the victim should be published on the Russian cybercrime forums for all to plunder — not privately sold to the highest bidder. In thread after thread on the crime forum XSS, Wazawaka’s alias “Uhodiransomwar” can be seen posting download links to databases from companies that have refused to negotiate after five days.

“The only and the main principle of ransomware is: the information that you steal should never be sold,” Uhodiransomwar wrote in August 2020. “The community needs to receive it absolutely free of charge if the ransom isn’t paid by the side that this information is stolen from.”

Wazawaka hasn’t always been so friendly to other cybercrooks. Over the past ten years, his contact information has been used to register numerous phishing domains intended to siphon credentials from people trying to transact on various dark web marketplaces. In 2018, Wazawaka registered a slew of domains spoofing the real domain for the Hydra dark web market. In 2014, Wazawaka confided to another crime forum member via private message that he made good money stealing accounts from drug dealers on these marketplaces.

“I used to steal their QIWI accounts with up to $500k in them,” Wazawaka recalled. “A dealer would never go to the cops and tell them he was selling stuff online and someone stole his money.”

WHO IS WAZAWAKA?

Wazawaka used multiple email addresses and nicknames on several Russian crime forums, but data collected by cybersecurity firm Constella Intelligence show that Wazawaka’s alter egos always used one of three fairly unique passwords: 2k3x8x57, 2k3X8X57, and 00virtual.

Those three passwords were used by one or all of Wazawaka’s email addresses on the crime forums over the years, including wazawaka@yandex.ru, mixseo@mail.ru, mixseo@yandex.ru, mixfb@yandex.ru.

That last email address was used almost a decade ago to register a Vkontakte (Russian version of Facebook) account under the name Mikhail “Mix” Matveev. The phone number tied to that Vkontakte account — 7617467845 — was assigned by the Russian telephony provider MegaFon to a resident in Khakassia, situated in the southwestern part of Eastern Siberia.

DomainTools.com [an advertiser on this site] reports mixfb@yandex.ru was used to register three domains between 2008 and 2010: ddosis.ru, best-stalker.com, and cs-arena.org. That last domain was originally registered in 2009 to a Mikhail P. Matveyev, in Abakan, Khakassia.

Mikhail Matveev is not the most unusual name in Russia, but other clues help narrow things down quite a bit. For example, early in his postings to Exploit, Wazawaka can be seen telling members that he can be contacted via the ICQ instant message account 902228.

An Internet search for Wazawaka’s ICQ number brings up a 2009 account for a Wazawaka on a now defunct discussion forum about Kopyovo-a, a town of roughly 4,400 souls in the Russian republic of Khakassia:

MIKHAIL’S MIX

Also around 2009, someone using the nickname Wazawaka and the 902228 ICQ address started posting to Russian social media networks trying to convince locals to frequent the website “fureha.ru,” which was billed as another website catering to residents of Khakassia.

According to the Russian domain watcher 1stat.ru, fureha.ru was registered in January 2009 to the email address mix@devilart.net and the phone number +79617467845, which is the same number tied to the Mikhail “Mix” Matveev Vkontakte account.

DomainTools.com says the mix@devilart.net address was used to register two domains: one called badamania[.]ru, and a defunct porn site called tvporka[.]ru. The phone number tied to that porn site registration back in 2010 was 79235810401, also issued by MegaFon in Khakassia.

A search in Skype for that number shows that it was associated more than a decade ago with the username “matveevatanya1.” It was registered to a now 29-year-old Tatayana Matveeva Deryabina, whose Vkontakte profile says she currently resides in Krasnoyarsk, the largest city that is closest to Abakan and Abaza.

It seems likely that Tatayana is a relative of Mikhail Matveev, perhaps even his sister. Neither responded to requests for comment. In 2009, a Mikhail Matveev from Abaza, Khakassia registered the username Wazawaka on weblancer.net, a freelance job exchange for Russian IT professionals. The Weblancer account says Wazawaka is currently 33 years old.

In March 2019, Wazawaka explained a lengthy absence on Exploit by saying he’d fathered a child. “I will answer everyone in a week or two,” the crime actor wrote. “Became a dad — went on vacation for a couple of weeks.”

One of the many email addresses Wazawaka used was devdelphi@yandex.ru, which is tied to a more recent but since-deleted Vkontakte account for a Mikhail Matveev and used the password 2k3X8X57. As per usual, I put together a mind map showing the connections referenced in this story:

A rough mind map of the connections mentioned in this story.

Analysts with cyber intelligence firm Flashpoint say Wazawaka’s postings on various Russian crime forums show he is proficient in many specializations, including botnet operations, keylogger malware, spam botnets, credential harvesting, Google Analytics manipulation, selling databases for spam operations, and launching DDoS attacks.

Flashpoint says it is likely Wazawaka/Mix/M1x has shared cybercriminal identities and accounts with multiple other forum members, most of whom appear to have been partners in his DDoS-for-hire business a decade ago. For example, Flashpoint points to an Antichat forum thread from 2009 where members said M1x worked on his DDoS service with a hacker by the nickname “Vedd,” who was reputedly also a resident of Abakan.

STAY  TRUE, & MOTHER RUSSIA WILL HELP YOU

All of this is academic, of course, provided Mr. Wazawaka chooses to a) never leave Russia and b) avoid cybercrime activities that target Russian citizens. In a January 2021 thread on Exploit regarding the arrest of an affiliate for the NetWalker ransomware program and its subsequent demise, Wazawaka seems already resigned those limitations.

“Don’t shit where you live, travel local, and don’t go abroad,” Wazawaka said of his own personal mantra.

Which might explain why Wazawaka is so lackadaisical about hiding and protecting his cybercriminal identities: Incredibly, Wazawaka’s alter ego on the forum XSS — Uhodiransomware — still uses the same password on the forum that he used for his Vkontakte account 10 years ago. Lucky for him, XSS also demands a one-time code from his mobile authentication app.

The second step of logging into Wazawaka’s account on XSS (Uhodiransomwar).

Wazawaka said NetWalker’s closure was the result of its administrator (a.k.a. “Bugatti”) getting greedy, and then he proceeds to preach about the need to periodically re-brand one’s cybercriminal identity.

“I’ve had some business with Bugatti,” Wazawaka said. “The guy got too rich and began recruiting Americans as affiliate partners. What happened now is the result. That’s okay, though. I wish Bugatti to do some rebranding and start from the beginning 🙂 As for the servers that were seized, they should’ve hosted their admin panels in Russia to avoid getting their servers seized by INTERPOL, the FBI, or whatever.”

“Mother Russia will help you,” Wazawaka concluded. “Love your country, and you will always get away with everything.”

If you liked this post, you may also enjoy Who Is the Network Access Broker “Babam”?