Feature Spotlight | Introducing Singularity Dark Mode

We’re excited to announce the availability of Singularity Dark Mode, an optional UI feature now available to all our customers. In this blog post, we’ll explore the origins and advantages of Dark Mode, explain why it was important for us to offer Singularity users this choice, and offer a step-by-step guide on how to take advantage of this great new feature.

Dark Mode Returns

The first digital interfaces were powered by Cathode-Ray Tube (CRT), a technology that was invented for use in radars during WWII. Initially, CRT technology wasn’t efficient enough to illuminate an entire surface. Hence, for the very first computer screens, dark mode was default.

By the 1970’s, technology was more advanced and the concept of WYSIWYG interfaces was introduced. This new approach, based on the assumption that displays were like printed paper (although paper doesn’t glow), introduced Light Mode as we know it today. For a long time, Light Mode has been the default condition. However, Dark Mode has become an increasingly popular feature in mainstream products. Modern digital screens are far more advanced than CRT ones, yet, decades later, there’s a striking similarity between the old and the new.

The Advantages of Dark Mode

The science behind Dark Mode is still a little shady, with lots of conflicting views and evidence as to its benefits. That being said, here are a few things that are generally agreed upon:

  • A Step Forward in Accessibility: Reduced contrasts have been proven to help people with light sensitivity or visual impairment.
  • Less Harmful to Sleep Cycle: Emitting less blue light, Dark Mode has less impact on Melatonin levels (the hormone that makes us tired).
  • Better for Dimly Lit Environments: Lower contrasts reduce eye-strain significantly, so when working in a dark environment, Dark Mode is easier on the eyes.
  • Super Slick Look & Feel: A big driver of dark mode is aesthetics. Many people simply have an affinity for Dark Mode and the aesthetics it entails.

Best Practice: Freedom of Choice

There’s no doubt that some people prefer to work in Dark Mode while others do not. Some people prefer to work in Dark Mode at certain times, but not at others. We realized that it was important to give our users the ability to experience a product in their chosen contrast polarity, and allow them to switch easily between light and dark modes.

We also realized that the benefits of choosing between Dark Mode and Light Mode could only really work if it was customizable by each user. Putting the decision into the hands of the individual user ensures a more pleasant experience when using our products. We know that people rarely change defaults, but they should be able to do so when they wish and with ease.

Introducing Singularity Dark Mode

Being a customer focused company, Singularity Dark Mode was designed with our users in mind. Contrasts were adjusted to comply with universal WCAG AA accessibility standards and the feature, as a whole, was tested as a Beta on selected customers and perfected over numerous feedback iterations.

Singularity Dark Mode is now available to all customers.

Switching to Singularity Dark Mode

It couldn’t be easier to switch between light and dark modes for your user profile.

  1. Open the Management Console on your browser.
  2. In the top right corner, click on your Username and select My User
  3. In My User, click the Options menu and select Switch to Dark Mode
  4. To revert back to Light Mode, select Switch to Light Mode from the Options menu

Path Summary:

Username / My User / Options / Switch to Dark Mode

Conclusion

Given that Singularity Console sees frequent use, it makes great sense to give our customers the option to view the UI in the way that makes them most comfortable and that enhances their personal productivity. The introduction of Dark Mode for Singularity reflects our belief that products that are meant for long-form consumption should offer a Dark Mode feature and the option should ideally be pervasive throughout all the screens of that product.

If you would like to learn more about how SentinelOne Singularity can help protect your organization, contact us or request a free demo.

From the Front Lines | Hive Ransomware Deploys Novel IPfuscation Technique To Avoid Detection

By James Haughom, Antonis Terefos, Jim Walter, Jeff Cavanaugh, Nick Fox, and Shai Tilias

Overview

In a recent IR engagement, our team happened upon a rather interesting packer (aka crypter or obfuscator) that was ultimately utilized to construct and execute shellcode responsible for downloading a Cobalt Strike Beacon. The sample at the end of this chain is not necessarily sophisticated or particularly novel, but it does leverage an interesting obfuscation technique that we have dubbed “IPfuscation”.

In this post, we describe this novel technique as it is used across several variants of malware. Along with the IPfuscation technique, we have identified a number of markers which have allowed us to pivot into additional discoveries around the actor or group behind this campaign.

Technical Details

The samples in question are 64-bit Windows Portable Executables, each containing an obfuscated payload used to deliver an additional implant. The obfuscated payload masquerades itself as an array of ASCII IPv4 addresses. Each one of these IPs is passed to the RtlIpv4StringToAddressA function, which will translate the ASCII IP string to binary. The binary representation of all of these IPs is combined to form a blob of shellcode.

The general flow is:

  1. Iterate through “IPs” (ASCII strings)
  2. Translate “IPs” to binary to reveal shellcode
  3. Execute shellcode either by:
    • Proxying execution via callback param passed to EnumUILanguagesA
    • Direct SYSCALLs

Using byte sequences, sequences of WinAPI calls, and some hardcoded metadata affiliated with the malware author, we were able to identify a handful of other variants of this loader (hashes provided below with the IOCs), one of which we have dubbed “UUIDfuscation” and was also recently reported on by Jason Reaves. A Golang Cobalt Strike loader was also discovered during the investigation, which had a hardcoded source code path similar to what we have already seen with the ‘IPfuscated’ samples, suggesting that the same author may be responsible for both.

Tools, COTS, LOLBINs and More

The TTPs uncovered during the incident align with previous reporting of the Hive Ransomware Affiliate Program, with the attackers having a preference for publicly available Penetration Testing frameworks and tooling (see TTPs table). Like many other ransomware groups, pre-deployment Powershell and BAT scripts are used to prepare the environment for distribution of the ransomware, while ADFind, SharpView, and BloodHound are used for Active Directory enumeration. Password spraying was performed with SharpHashSpray and SharpDomainSpray, while Rubeus was used to request TGTs. Cobalt Strike remains their implant of choice, and several different Cobalt Strike loaders were identified including: IPfuscated loader, Golang loader, and a vanilla Beacon DLL. Finally, GPOs and Scheduled Tasks are used to deploy digitally signed ransomware across the victim’s network.

IPfuscated Cobalt Strike Loader

Our team discovered and analyzed a 64-bit PE (4fcc141c13a4a67e74b9f1372cfb8b722426513a) with a hardcoded PDB path matching the project structure of a Visual Studio project.

C:UsersAdministratorsourcereposConsoleApplication1x64ReleaseConsoleApplication1.pdb

This particular sample leverages the IPfuscation technique. Within the binary is what appears to be an array of IP addresses.

Each of these “IP addresses” is passed to RtlIpv4StringToAddressA and then written to heap memory.

What is interesting is that these “IP addresses” are not used for network communication, but instead represent an encoded payload. The binary representation of these IP-formatted strings produced by RtlIpv4StringToAddressA is actually a blob of shellcode.

For example, the first hardcoded IP-formatted string is the ASCII string “252.72.131.228”, which has a binary representation of 0xE48348FC (big endian), and the next “IP” to be translated is “240.232.200.0”, which has a binary representation of 0xC8E8F0. Together, they create the below sequence of bytes.

Disassembling these “binary representations” shows the start of shellcode generated by common pentesting frameworks.

Once the shellcode has finished being deobfuscated in this manner, the malware proxies invocation of the shellcode by passing its address to the EnumUILanguagesA WinAPI function. This is achieved by supplying the shellcode address as the UILanguageEnumProc, which is a callback routine to be executed.

The shellcode is the common Cobalt Strike stager to download and execute Beacon. Here is a look at the PEB traversal to find one of the modules lists, followed by the ROT13 hash being calculated for target WinAPIs to execute.

Hell’s Gate Variant

A handful of additional samples were found with a similar sequence of functions and static properties, including the same error message. The Hell’s Gate variant (d83df37d263fc9201aa4d98ace9ab57efbb90922) is different from the previous sample in that it uses Hell’s Gate (direct SYSCALLs) rather than EnumUILanguagesA to execute the deobfuscated shellcode. This sample’s PDB path is:

E:UsersPCsourcereposHellsGate+ipv4x64ReleaseHellsGate+ipv4.pdb

In this variant, the IP-formatted strings are procedurally placed in local variables, rather than being looped through as seen previously.

Once all the IP strings have been defined within the scope of this function, memory is allocated with NtAllocateVirtualMemory via a direct SYSCALL, and the deobfuscation loop commences.

Following the loop, a few SYSCALLs are made to pass control flow to the deobfuscated shellcode.

IPfuscation Variants

Among the discovered variants were three additional obfuscation methods using techniques very similar to IPfuscation. Rather than using IPv4 addresses, the following were also found being used to hide the payload:

  • IPfuscation – IPv6 addresses
  • UUIDfuscation – UUIDs & base64 encoded UUIDs
  • MACfuscation – MAC addresses

Here we can see the original IPfuscated sample versus the UUID variant being translated via UuidFromStringA.

The UUID variant stores the obfuscated payload in the same manner as IPfuscated samples.

The MAC address variant translates the shellcode via RtlEthernetStringToAdressA and then uses a callback function, a parameter to EnumWindows, to pass control flow to the shellcode. Again, the MAC addresses forming the payload are stored the same as with previous variants.

The IPv6 variants operate almost identically to the original IPfuscated sample. The only difference is that IPv6-style address are used, and RtlIpv6StringToAddressA is called to translate the string to binary data.

Golang Cobalt Strike Loader

Among other samples discovered during the incident was a Golang-compiled EXE (3a743e2f63097aa15cec5132ad076b87a9133274) with a reference to a source code Golang file that follows the same syntax as one of the identified IPfuscated samples.

[0x0045d2c0]> iz~go~Users
4542 0x000d62e9 0x004d78e9 27   28   .rdata  ascii   
C:/Users/76383/tmp/JzkFF.go

GetProcAddress is called repeatedly, with 8 byte stack strings being used to form the WinAPI names to be located in memory.

The shellcode is stored as a cleartext hexadecimal string in the .rdata section.

This string is read into a buffer and translated into binary, somewhat similar to the IPfuscated flow.

Before translation into binary:

After translation into binary:

Control flow is then passed to the shellcode, which is yet another Cobalt Strike stager attempting to download Beacon.

Conclusion

Our incident response team is constantly intercepting early-use tactics, techniques and artifacts, with IPfuscation just the latest such technique deployed by malware authors. Such techniques prove that oftentimes a creative and ingenious approach can be just as effective as a highly sophisticated and advanced one, particularly when enterprise defense is based on security tools that rely on static signatures rather than on behavioral detection.

If you would like to learn how SentinelOne can help protect your organization regardless of the attack vector, contact us or request a free demo.

Indicators of Compromise

SHA1 Description
d83df37d263fc9201aa4d98ace9ab57efbb90922 IPfuscated Cobalt Strike stager (Hell’s Gate variant)
49fa346b81f5470e730219e9ed8ec9db8dd3a7fa IPfuscated Cobalt Strike stager
fa8795e9a9eb5040842f616119c5ab3153ad71c8 IPfuscated Cobalt Strike stager
6b5036bd273d9bd4353905107755416e7a37c441 IPfuscated Cobalt Strike stager
8a4408e4d78851bd6ee8d0249768c4d75c5c5f48 IPfuscated Cobalt Strike stager
49fa346b81f5470e730219e9ed8ec9db8dd3a7fa IPfuscated Cobalt Strike stager
6e91cea0ec671cde7316df3d39ba6ea6464e60d9 IPfuscated Cobalt Strike stager
24c862dc2f67383719460f692722ac91a4ed5a3b IPfuscated Cobalt Strike stager
415dc50927f9cb3dcd9256aef91152bf43b59072 IPfuscated Cobalt Strike stager
2ded066d20c6d64bdaf4919d42a9ac27a8e6f174 IPfuscated Cobalt Strike stager (Hell’s Gate variant)
27b5d056a789bcc85788dc2e0cc338ff82c57133 IPfuscated Cobalt Strike stager
SHA 256 Description
065de95947fac84003fd1fb9a74123238fdbe37d81ff4bd2bff6e9594aad6d8b UUID variant
0809e0be008cb54964e4e7bda42a845a4c618868a1e09cb0250210125c453e65 UUID variant
12d2d3242dab3deca29e5b31e8a8998f2a62cea29592e3d2ab952fcc61b02088 UUID variant
130c062e45d3c35ae801eb1140cbf765f350ea91f3d884b8a77ca0059d2a3c54 UUID variant
39629dc6dc52135cad1d9d6e70e257aa0e55bd0d12da01338306fbef9a738e6b UUID variant
5086cc3e871cf99066421010add9d59d321d76ca5a406860497faedbb4453c28 UUID variant
56c5403e2afe4df8e7f98fd89b0099d0e2f869386759f571de9a807538bad027 UUID variant
60cfce921a457063569553d9d43c2618f0b1a9ab364deb7e2408a325e3af2f6f UUID variant
6240193f7c84723278b9b5e682b0928d4faf22d222a7aa84556c8ee692b954b0 UUID variant
6a222453b7b3725dcf5a98e746f809e02af3a1bd42215b8a0d606c7ce34b6b2b UUID variant
6bdd253f408a09225dee60cc1d92498dac026793fdf2c5c332163c68d0b44efd UUID variant
9c90c72367526c798815a9b8d58520704dc5e9052c41d30992a3eb13b6c3dd94 UUID variant
9cd407ea116da2cda99f7f081c9d39de0252ecd8426e6a4c41481d9113aa523e UUID variant
a586efbe8c627f9bb618341e5a1e1cb119a6feb7768be076d056abb21cc3db66 UUID variant
c384021f8a68462348d89f3f7251e3483a58343577e15907b5146cbd4fa4bd53 UUID variant
c76671a06fd6dd386af102cf2563386060f870aa8730df0b51b72e79650e5071 UUID variant
e452371750be3b7c88804ea5320bd6a2ac0a7d2c424b53a39a2da3169e2069e9 UUID variant
e9bb47f5587b68cd725ab4482ad7538e1a046dd41409661b60acc3e3f177e8c4 UUID variant
e9da9b5e8ebf0b5d2ea74480e2cdbd591d82cd0bdccbdbe953a57bb5612379b0 UUID variant
efbdb34f208faeaebf62ef11c026ff877fda4ab8ab31e99b29ff877beb4d4d2b UUID variant
f248488eedafbeeb91a6cfcc11f022d8c476bd53083ac26180ec5833e719b844 UUID variant
e61ecd6f2f8c4ba8c6f135505005cc867e1eea7478a1cbb1b2daf22de25f36ce MAC Address Variant
f07a3c6d9ec3aeae5d51638a1067dda23642f702a7ba86fc3df23f0397047f69 MAC Address Variant
7667d0e90b583da8c2964ba6ca2d3f44dd46b75a434dc2b467249cd16bf439a0 IPv6 Variant
75244059f912d6d35ddda061a704ef3274aaa7fae41fdea2efc149eba2b742b3 x86 IPv4 Variant
7e8dd90b84b06fabd9e5290af04c4432da86e631ab6678a8726361fb45bece58 x86 IPv4 Variant
C2 Description
103.146.179.89 Cobalt Strike server
service-5inxpk6g-1304905614.gz.apigw.tencentcs[.]com Cobalt Strike server
service-kibkxcw1-1305343709.bj.apigw.tencentcs[.]com:80 Cobalt Strike server
103.146.179.89 Cobalt Strike server
1.15.80.102 Cobalt Strike server
175.178.62.140 Cobalt Strike server
84.32.188.238 Cobalt Strike server

YARA Rules

import "pe"

rule IPfuscatedCobaltStrike
{
	meta:
		description = "IPfuscated Cobalt Strike shellcode" 
		author = "James Haughom @ SentinelLabs"
		date = "2022-3-24"
		hash = "49fa346b81f5470e730219e9ed8ec9db8dd3a7fa"
		reference = "https://s1.ai/ipfuscation"

	strings:
		/*
			This rule will detect IPfuscated Cobalt Strike shellcode
			in PEs.

			For example:
				IPfuscated       | binary representation | instruction
				++++++++++++++++++++++++++++++++++++++++++++++++++++++
				"252.72.131.228" | 0xE48348FC            | CLD ...
				"240.232.200.0"  | 0xC8E8F0              | CALL ... 
		*/
		$ipfuscated_payload_1 = "252.72.131.228"
		$ipfuscated_payload_2 = "240.232.200.0"
		$ipfuscated_payload_3 = "0.0.65.81"
		$ipfuscated_payload_4 = "65.80.82.81"
		$ipfuscated_payload_5 = "86.72.49.210"
		$ipfuscated_payload_6 = "101.72.139.82"
		$ipfuscated_payload_7 = "96.72.139.82"
		$ipfuscated_payload_8 = "24.72.139.82"
		$ipfuscated_payload_9 = "32.72.139.114"
		$ipfuscated_payload_10 = "80.72.15.183"
		$ipfuscated_payload_11 = "74.74.77.49"
		$ipfuscated_payload_12 = "201.72.49.192"
		$ipfuscated_payload_13 = "172.60.97.124"
		$ipfuscated_payload_14 = "2.44.32.65"
		$ipfuscated_payload_15 = "193.201.13.65"
		$ipfuscated_payload_16 = "1.193.226.237"
		$ipfuscated_payload_17 = "82.65.81.72"
		$ipfuscated_payload_18 = "139.82.32.139"
		$ipfuscated_payload_19 = "66.60.72.1"
		$ipfuscated_payload_20 = "208.102.129.120"

	condition:
		// sample is a PE
		uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and
		5 of ($ipfuscated_payload_*)
}

rule IPfuscationEnumUILanguages
{
	meta:
		description = "IPfuscation with execution via EnumUILanguagesA"
		author = "James Haughom @ SentinelLabs"
		date = "2022-3-24"
		hash = "49fa346b81f5470e730219e9ed8ec9db8dd3a7fa"
		reference = "https://s1.ai/ipfuscation"

	strings:
		// hardcoded error string in IPfuscated samples
		$err_msg = "ERROR!"

	condition:
		// sample is a PE
		uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and
		$err_msg and
		// IPfuscation deobfuscation
		pe.imports("ntdll.dll", "RtlIpv4StringToAddressA") and
		// shellcode execution
		pe.imports ("kernel32.dll", "EnumUILanguagesA")
}

rule IPfuscationHellsGate
{
	meta:
		description = "IPfuscation with execution via Hell's Gate"
		author = "James Haughom @ SentinelLabs"
		date = "2022-3-24"
		hash = "d83df37d263fc9201aa4d98ace9ab57efbb90922"
		reference = "https://s1.ai/ipfuscation"

	strings:
		$err_msg = "ERROR!"

		/*
			Hell's Gate / direct SYSCALLs for calling system routines

			4C 8B D1               mov     r10, rcx
			8B 05 36 2F 00 00      mov     eax, cs:dword_140005000
			0F 05                  syscall             
			C3                     retn
		*/
		$syscall = { 4C 8B D1 8B 05 ?? ?? 00 00 0F 05 C3 }

		/*
			SYSCALL codes are stored in global variable

			C7 05 46 2F 00 00 00 00 00 00      mov     cs:dword_140005000, 0
			89 0D 40 2F 00 00                  mov     cs:dword_140005000, ecx
			C3                                 retn
		*/
		$set_syscall_code = {C7 05 ?? ?? 00 00 00 00 00 00 89 0D ?? ?? 00 00 C3}

	condition:
		// sample is a PE
		uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and
		all of them and
		// IPfuscation deobfuscation
		pe.imports("ntdll.dll", "RtlIpv4StringToAddressA")
}

rule IPfuscatedVariants
{
    meta:
    	author = "@Tera0017/@SentinelOne"
    	description = "*fuscation variants"
    	date = "2022-3-28"
	hash = "2ded066d20c6d64bdaf4919d42a9ac27a8e6f174"
	reference = "https://s1.ai/ipfuscation"

    strings:
    	// x64 Heap Create/Alloc shellcode
     	$code1 = {33 D2 48 8B [2-3] FF 15 [4] 3D 0D 00 00 C0}
     	// x64 RtlIpv4StringToAddressA to shellcode
     	$code2 = {B9 00 00 04 00 FF [9] 41 B8 00 00 10 00}
    
    condition:
     	any of them
}

MITRE ATT&CK – Hive Ransomware Gang

TTP Description MITRE ID
BAT/Powershell scripts Automate pre-ransomware deployment actions T1059
Scheduled Tasks Execute the ransomware payload T1053
Cobalt Strike Primary implant / backdoor S0154
ADFind Active Directory enumeration S0552 / T1087
SharpHashSpray Password spraying T1110.003
DomainHashSpray Password spraying T1110.003
Bloodhound/SharpHound Active Directory enumeration S0521 / T1087
Signed Ransomware Ransomware payload is digitally signed T1587.002
Domain Policy GPO Deploy ransomware via GPO T1484
Net-GPPPassword Steal cleartext passwords from Group Policy Preferences T1552.006
Rubeus Request Kerberos Ticket Granting Tickets T1558
Sharpview Active Directory enumeration T1087
RDP Lateral movement via RDP T1021.001
SAM Dump Credential theft T1003.002

 

Hackers Gaining Power of Subpoena Via Fake “Emergency Data Requests”

There is a terrifying and highly effective “method” that criminal hackers are now using to harvest sensitive customer data from Internet service providers, phone companies and social media firms. It involves compromising email accounts and websites tied to police departments and government agencies, and then sending unauthorized demands for subscriber data while claiming the information being requested can’t wait for a court order because it relates to an urgent matter of life and death.

In the United States, when federal, state or local law enforcement agencies wish to obtain information about who owns an account at a social media firm, or what Internet addresses a specific cell phone account has used in the past, they must submit an official court-ordered warrant or subpoena.

Virtually all major technology companies serving large numbers of users online have departments that routinely review and process such requests, which are typically granted as long as the proper documents are provided and the request appears to come from an email address connected to an actual police department domain name.

But in certain circumstances — such as a case involving imminent harm or death — an investigating authority may make what’s known as an Emergency Data Request (EDR), which largely bypasses any official review and does not require the requestor to supply any court-approved documents.

It is now clear that some hackers have figured out there is no quick and easy way for a company that receives one of these EDRs to know whether it is legitimate. Using their illicit access to police email systems, the hackers will send a fake EDR along with an attestation that innocent people will likely suffer greatly or die unless the requested data is provided immediately.

In this scenario, the receiving company finds itself caught between two unsavory outcomes: Failing to immediately comply with an EDR — and potentially having someone’s blood on their hands — or possibly leaking a customer record to the wrong person.

“We have a legal process to compel production of documents, and we have a streamlined legal process for police to get information from ISPs and other providers,” said Mark Rasch, a former prosecutor with the U.S. Department of Justice.

“And then we have this emergency process, almost like you see on [the television series] Law & Order, where they say they need certain information immediately,” Rasch continued. “Providers have a streamlined process where they publish the fax or contact information for police to get emergency access to data. But there’s no real mechanism defined by most Internet service providers or tech companies to test the validity of a search warrant or subpoena. And so as long as it looks right, they’ll comply.”

To make matters more complicated, there are tens of thousands of police jurisdictions around the world — including roughly 18,000 in the United States alone — and all it takes for hackers to succeed is illicit access to a single police email account.

THE LAPSUS$ CONNECTION

The reality that teenagers are now impersonating law enforcement agencies to subpoena privileged data on their targets at whim is evident in the dramatic backstory behind LAPSUS$, the data extortion group that recently hacked into some of the world’s most valuable technology companies, including Microsoft, Okta, NVIDIA and Vodafone.

In a blog post about their recent hack, Microsoft said LAPSUS$ succeeded against its targets through a combination of low-tech attacks, mostly involving old-fashioned social engineering — such as bribing employees at or contractors for the target organization.

“Other tactics include phone-based social engineering; SIM-swapping to facilitate account takeover; accessing personal email accounts of employees at target organizations; paying employees, suppliers, or business partners of target organizations for access to credentials and multi-factor authentication (MFA) approval; and intruding in the ongoing crisis-communication calls of their targets,” Microsoft wrote of LAPSUS$.

The roster of the now-defunct “Infinity Recursion” hacking team, from which some members of LAPSUS$ allegedly hail.

Researchers from security firms Unit 221B and Palo Alto Networks say that prior to launching LAPSUS$, the group’s leader “White” (a.k.a. “WhiteDoxbin,” “Oklaqq”) was a founding member of a cybercriminal group calling itself the “Recursion Team.” This group specialized in SIM swapping targets of interest and participating in “swatting” attacks, wherein fake bomb threats, hostage situations and other violent scenarios are phoned in to police as part of a scheme to trick them into visiting potentially deadly force on a target’s address.

The founder of the Recursion Team was a then 14-year-old from the United Kingdom who used the handle “Everlynn.” On April 5, 2021, Everlynn posted a new sales thread to the cybercrime forum cracked[.]to titled, “Warrant/subpoena service (get law enforcement data from any service).” The price: $100 to $250 per request.

Everlynn advertising a warrant/subpoena service based on fake EDRs. Image: Ke-la.com.

“Services [include] Apple, Snapchat, Google (more expensive), not doing Discord, basically any site mostly,” read Everlynn’s ad, which was posted by the user account “InfinityRecursion.”

A month prior on Cracked, Everlynn posted a sales thread, “1x Government Email Account || BECOME A FED!,” which advertised the ability to send email from a federal agency within the government of Argentina.

“I would like to sell a government email that can be used for subpoena for many companies such as Apple, Uber, Instagram, etc.,” Everlynn’s sales thread explained, setting the price at $150. “You can breach users and get private images from people on SnapChat like nudes, go hack your girlfriend or something haha. You won’t get the login for the account, but you’ll basically obtain everything in the account if you play your cards right. I am not legally responsible if you mishandle this. This is very illegal and you will get raided if you don’t use a vpn. You can also breach into the government systems for this, and find LOTS of more private data and sell it for way, way more.”

Last week, the BBC reported that authorities in the United Kingdom had detained seven individuals aged 16 to 21 in connection with LAPSUS$.

TAKING ON THE DOXBIN

It remains unclear whether White or Everlynn were among those detained; U.K. police declined to name the suspects. But White’s real-life identity became public recently after he crossed the wrong people.

The de-anonymization of the LAPSUS$ leader began late last year after he purchased a website called Doxbin, a long-running and highly toxic online community that is used to “dox” or post deeply personal information on people.

Based on the feedback posted by Doxbin members, White was not a particularly attentive administrator. Longtime members soon took to harassing him about various components of the site falling into disrepair. That pestering eventually prompted White to sell Doxbin back to its previous owner at a considerable loss. But before doing so, White leaked the Doxbin user database.

White’s leak triggered a swift counterpunch from Doxbin’s staff, which naturally responded by posting on White perhaps the most thorough dox the forum had ever produced.

KrebsOnSecurity recently interviewed the past and current owner of the Doxbin — an established hacker who goes by the handle “KT.” According to KT, it is becoming more common for hackers to use EDRs for stalking, hacking, harassing and publicly humiliating others.

KT shared several recent examples of fraudulent EDRs obtained by hackers who bragged about their success with the method.

“Terroristic threats with a valid reason to believe somebody’s life is in danger is usually the go-to,” KT said, referring to the most common attestation that accompanies a fake EDR.

One of the phony EDRs shared by KT targeted an 18-year-old from Indiana, and was sent to the social media platform Discord earlier this year. The document requested the Internet address history of Discord accounts tied to a specific phone number used by the target. Discord complied with the request.

“Discord replies to EDRs in 30 minutes to one hour with the provided information,” KT claimed.

Asked about the validity of the unauthorized EDR shared by KT, Discord said the request came from a legitimate law enforcement account that was later determined to have been compromised.

“We can confirm that Discord received requests from a legitimate law enforcement domain and complied with the requests in accordance with our policies,” Discord said in a written statement. “We verify these requests by checking that they come from a genuine source, and did so in this instance. While our verification process confirmed that the law enforcement account itself was legitimate, we later learned that it had been compromised by a malicious actor. We have since conducted an investigation into this illegal activity and notified law enforcement about the compromised email account.”

KT said fake EDRs don’t have to come from police departments based in the United States, and that some people in the community of those sending fake EDRs are hacking into police department emails by first compromising the agency’s website. From there, they can drop a backdoor “shell” on the server to secure permanent access, and then create new email accounts within the hacked organization.

In other cases, KT said, hackers will try to guess the passwords of police department email systems. In these attacks, the hackers will identify email addresses associated with law enforcement personnel, and then attempt to authenticate using passwords those individuals have used at other websites that have been breached previously.

“A lot of governments overseas are using WordPress, and I know a kid on Telegram who has multiple shells on gov sites,” KT said. “It’s near impossible to get U.S. dot-govs nowadays, although I’ve seen a few people with it. Most govs use [Microsoft] Outlook, so it’s more difficult because theres usually some sort of multi-factor authentication. But not all have it.”

According to KT, Everlynn and White recently had a falling out, with White paying KT to publish a dox on Everlynn and to keep it pinned to the site’s home page. That dox states that Everlynn is a 15-year-old from the United Kingdom who has used a variety of monikers over the past year alone, including “Miku” and “Anitsu.”

KT said Everlynn’s dox is accurate, and that the youth has been arrested multiple times for issuing fake EDRs. But KT said each time Everlynn gets released from police custody, they go right back to committing the same cybercrimes.

“Anitsu (Miku, Everlynn), an old staff member of Doxbin, was arrested probably 4-5 months ago for jacking government emails used for EDR’ing,” KT said. “White and him are not friends anymore though. White paid me a few weeks ago to pin his dox on Doxbin. Also, White had planned to use EDRs against me, due to a bet we had planned; dox for dox, winner gets 1 coin.”

A FUNDAMENTALLY UNFIXABLE PROBLEM?

Nicholas Weaver, a security specialist and lecturer at the University of California, Berkeley, said one big challenge to combating fraudulent EDRs is that there is fundamentally no notion of global online identity.

“The only way to clean it up would be to have the FBI act as the sole identity provider for all state and local law enforcement,” Weaver said. “But even that won’t necessarily work because how does the FBI vet in real time that some request is really from some podunk police department?”

It’s not clear that the FBI would be willing or able to take on such a task. In November 2021, KrebsOnSecurity broke the news that hackers sent a fake email alert to thousands of state and local law enforcement entities through the FBI’s Law Enforcement Enterprise Portal (LEEP). In that attack, the intruders abused a fairly basic and dangerous coding error on the website, and the fake emails all came from a real fbi.gov address.

The phony message sent in November 2021 via the FBI’s email system.

KrebsOnSecurity asked the FBI whether it had any indication that its own systems were used for unauthorized EDRs. The FBI declined to answer that question, but confirmed it was aware of different schemes involving phony EDRs targeting both the public and the agency’s private sector partners.

“We take these reports seriously and vigorously pursue them,” reads a written statement shared by the FBI. “Visit this page for tips and resources to verify the information you are receiving. If you believe you are a victim of an emergency data request scheme, please report to www.ic3.gov or contact your local FBI field office.”

Rasch said while service providers need more rigorous vetting mechanisms for all types of legal requests, getting better at spotting unauthorized EDRs would require these companies to somehow know and validate the names of every police officer in the United States.

“One of the problems you have is there’s no validated master list of people who are authorized to make that demand,” Rasch said. “And that list is going to change all the time. But even then, the entire system is only as secure as the least secure individual police officer email account.”

The idea of impersonating law enforcement officers to obtain information typically only available via search warrant or subpoena is hardly new. A fictionalized example appeared in the second season of the hit television show Mr. Robot, wherein the main character Elliot pretends to be a police officer to obtain location data in real time from a cellular phone company.

Weaver said what probably keeps fraudulent EDRs from being more common is that most people in the criminal hacking community perceive it as too risky. This is supported by the responses in discussion threads across multiple hacking forums where members sought out someone to perform an EDR on their behalf.

“It’s highly risky if you get caught,” Weaver said. “But doing this is not a matter of skill. It’s one of will. It’s a fundamentally unfixable problem without completely redoing how we think about identity on the Internet on a national scale.”

The current situation with fraudulent EDRs illustrates the dangers of relying solely on email to process legal requests for highly sensitive subscriber data. In July 2021, a bipartisan group of U.S. senators introduced new legislation to combat the growing use of counterfeit court orders by scammers and criminals. The bill calls for funding for state and tribal courts to adopt widely available digital signature technology that meets standards developed by the National Institute of Standards and Technology.

“Forged court orders, usually involving copy-and-pasted signatures of judges, have been used to authorize illegal wiretaps and fraudulently take down legitimate reviews and websites by those seeking to conceal negative information and past crimes,” the lawmakers said in a statement introducing their bill.

The Digital Authenticity for Court Orders Act would require federal, state and tribal courts to use a digital signature for orders authorizing surveillance, domain seizures and removal of online content.

How to create a unicorn toddler bed?

Unicorns are one of the most popular imaginary creatures among young children, and what could be more magical than a unicorn toddler bed? JoJo Siwa Toddler bed by Delta Children, which is sporting a large, colorful, and glittery unicorn headboard, is all the rage right now – and sold out in many stores.

But don’t worry: with a bit of imagination, you can turn any toddler bed into a magical unicorn paradise. Here’s how!

Start with a white or pastel-colored toddler bed.

First, you’ll need to purchase a bed frame designed for toddlers. Ensure the frame is made of sturdy materials and has high sides to prevent your child from falling out.

Dream On Me Portland Toddler Bed

Our first pick for the perfect unicorn bed frame! It’s made of durable wood and features two side rails for safety.

The bed sits low to the floor, making it easy to get in & out. The Dream On Me Portland Toddler bed makes it simple for your toddler to transition from a crib to a bed.

The bed frame comes in classic colors, including white and pale pink. Ideal for unicorn makeover!

Delta Children Wood Sleigh Toddler Bed

Delta Children may not have their unicorn toddler bed in stock, but they have plenty of other great toddler beds that would work perfectly for this project.

This toddler bed is made of sustainable New Zealand pine wood and comes in white, grey, and natural wood finishes. It has a low to the ground design, making it easy for your little one to get in and out of bed. It also features two side rails for safety.

The headboard and footboard feature an elegant sleigh design. The Delta Children Wood Sleigh Toddler Bed would be perfect for any little princess – or unicorn enthusiast!

Add a unicorn-themed toddler bed canopy.

A canopy adds an extra touch of magic to any bed, and a unicorn-themed canopy is a perfect way to transform a regular toddler bed into a unicorn toddler bed! There are plenty of options available online, from simple bed canopies to more elaborate ones with lights and tulle. Have a look at our favorites!

Unicorn Princess Pink Canopy

This pink canopy will make your little girl feel like a unicorn princess! The top of the canopy is adorned with a gold unicorn horn and ears and a flower crown. It’s an extra-long two-layer chiffon fabric and has hook & loop fasteners for easy installation.

The Unicorn Princess Pink Canopy would look great paired with the Delta Children Wood Sleigh Toddler Bed or any other white or pale-colored bed frame.

The Unicorn Princess Pink Canopy can be hung from the ceiling or attached to the bed frame. It’s sure to add some magic to any toddler bedroom!

White Bed Canopy with Glow in The Dark Unicorns, Stars, and Rainbows

This bed canopy is perfect for any unicorn enthusiast! It features 50 different glow-in-the-dark elements: unicorns, stars, and rainbows.

This toddler bed canopy is made of polyester, which is a fire-resistant material. The unicorns and the rest of the design are applied to the net using advanced thermal printing technology, securing the attached drawings from ever falling off.

The White Bed Canopy with Glow in the Dark Unicorns, Stars, and Rainbows will make bedtime even more magical!

Decorate the bed with unicorn toddler bedding.

Now that you have the perfect bed frame and canopy, it’s time to add some unicorn-themed bedding! There are plenty of adorable options available, from quilts and blankets to sheets and pillowcases. Have a look at our favorites!

Funhouse 4 Piece Toddler Bedding Set

This lovely set includes a reversible quilted bedspread, a standard-size pillowcase that may be reversed, and a fitted sheet. Fits most crib/toddler mattresses.

The quilt features a unicorn design on one side and a hearts design on the other. The Funhouse 4 Piece Toddler Bedding Set would make a colorful addition to any unicorn toddler bed!

Carter’s Rainbow Unicorn 4 Piece Toddler Bedding Set

This whimsical toddler set features a double-sided comforter, fitted bottom sheet, flat top sheet, and reversible standard-sized pillowcase in vibrant pink. It’s perfect for any toddler who loves unicorns!

URBONUR 4-Piece Toddler Bedding Set

Made of super-soft microfiber, this set includes a quilt, fitted sheet, flat sheet, and pillowcase. It’s machine washable and dryer safe for easy care.

The quilt’s pink and blue ombre design is adorned with sparkling gold unicorns, making this set extra special.

Wowelife Rainbow Unicorn Toddler Bedding Set 4 Piece

This toddler bedding set combines unicorn and rainbow in pink, create a warm and dreamy bedroom and bring more color and fun to life. It includes a quilt, fitted sheet, flat sheet, and pillowcase.

The Wowelife Rainbow Unicorn Toddler Bedding Set 4 Piece is perfect for any little girl who loves unicorns and rainbows!

Complete the look with unicorn-themed bedroom accessories.

Now that you have the perfect bed and bedding, it’s time to accessorize! There are plenty of ways to add a touch of magic to any unicorn toddler bedroom with wall art, rugs, lamps, and more.

Once you have the bed set up, help your child into it and tuck them in with their favorite stuffed animal. Then, tell them a bedtime story about a magical unicorn kingdom where they can fly and gallop among the stars.

The post How to create a unicorn toddler bed? appeared first on Comfy Bummy.

The Good, the Bad and the Ugly in Cybersecurity – Week 12

The Good

As part of its ongoing efforts to disrupt and disable the cybercrime infrastructure that enables ransomware operations, the FBI this week announced the indictment of a Russian individual on charges of operating a darknet marketplace that sold stolen login credentials, personal identifiable information and authentication tools that allowed cyber criminals to unlawfully access the online accounts of victims around the world.

Igor Dekhtyarchuk, a 23-year old Russian national, was indicted in the Eastern District of Texas and added to the FBI’s Cyber Most Wanted list. According to some sources, Dekhtyarchuk was allegedly the mastermind behind the BAYACC marketplace.

According to the indictment, Dekhtyarchuk first appeared in hacker forums in November 2013 under the alias “floraby” and later began advertising the sale of compromised account data in the marketplace around May 2018.

Through March to July 2021, an FBI undercover operation made thirteen purchases from Dekhtyarchuk while accessing the marketplace from the Eastern District of Texas, resulting in access to over 130 accounts. If convicted, Dekhtyarchuk faces up to 20 years in federal prison.

The Bad

It’s been another uncomfortable week for those engaged in public services and trying to stave off ransomware attacks. On Monday, Rehab Group reported that it had been the victim of a cyber attack on some of its systems. Rehab provides services to more than 10,000 people living with disabilities in Ireland.

Details are sparse, with the group saying only that it has been trying to assess the nature and effect of an attack on its servers over the weekend. Forensic investigation work is underway but so far the group says it has no evidence that data was accessed from the servers or that it has suffered any financial loss.

Meanwhile, the impact of a ransomware attack on Greece’s public postal service, ELTA, was far more obvious and immediate.

According to a report, threat actors dropped malware and opened an HTTPS reverse shell on an ELTA workstation by exploiting an unpatched software vulnerability. In order to contain the impact, the organization immediately isolated its entire data center.

As a result, the company is currently unable to process any kind of final transactions, including bill payments, and all postal mail services are suspended. At the time of writing, there is still no timeline as to when normal service will be resumed. At minimum, it is believed there are over 2,500 devices that need to be examined and cleared to ensure any malware has been removed.

The Ugly

There are many human victims of cyber crime, but one we don’t often see or consider is a mother hiding behind her front door and dealing with reporters asking about hacks on global giants like Microsoft, Nvidia and Okta allegedly perpetrated by her teenage son.

This week, a little-known threat actor named Lapsus$ claimed to have made a number of high-profile breaches of three global enterprises. The group appears to operate as a ransomware gang, stealing data and demanding payment in order not to release it, although they do not bother to encrypt files on the victim’s machine.

Throughout the week, Lapsus$ engaged in a series of public taunts, while leaking source code and internal documents of its victims. The group had embarked on a “large-scale social engineering and extortion campaign against multiple organizations”, according to Microsoft, one of the victims that confirmed it had been hacked. Microsoft also said that the group had successfully recruited insiders in order to assist in their hacks.

As cybersercurity researchers began to focus on the group, it quickly emerged that a number of teen hackers were the likely culprits, including at least one in Brazil and one in the UK. The latter, going by the cyber handles of ‘White’ and ‘breachbase’, was outed by other cyber misfits, who published his address and the addresses of his parents on a public forum.

Inevitably, this led to journalists calling at the address in an attempt to interview the alleged hacker, much to the distress of the boy’s unwitting mother.

While the damage done to organizations by hacking groups such as Lapsus$ is the angle that typically makes the headlines, the human cost to the perpetrators’ own family, friends, and indeed themselves, rarely gets attention. We can only hope that drawing attention to it may act as a further deterrent to those tempted to misuse their cyber talents.

Estonian Tied to 13 Ransomware Attacks Gets 66 Months in Prison

An Estonian man was sentenced today to more than five years in a U.S. prison for his role in at least 13 ransomware attacks that caused losses of approximately $53 million. Prosecutors say the accused also enjoyed a lengthy career of “cashing out” access to hacked bank accounts worldwide.

Maksim Berezan, 37, is an Estonian national who was arrested nearly two years ago in Latvia. U.S. authorities alleged Berezan was a longtime member of DirectConnection, a closely-guarded Russian cybercriminal forum that existed until 2015. Berezan’s indictment (PDF) says he used his status at DirectConnection to secure cashout jobs from other vetted crooks on the exclusive crime forum.

Berezan specialized in cashouts and “drops.” Cashouts refer to using stolen payment card data to make fraudulent purchases or to withdraw money from bank accounts without authorization. A drop is a location or individual able to securely receive and forward funds or goods obtained through cashouts or other types of fraud. Drops typically are used to make it harder for law enforcement to trace fraudulent transactions and to circumvent fraud detection measures used by banks and credit card companies.

Acting on information from U.S. authorities, in November 2020 Latvian police searched Berezan’s residence there and found a red Porsche Carrera 911, a black Porsche Cayenne, a Ducati motorcycle, and an assortment of jewelry. They also seized $200,000 in currency, and $1.7 million in bitcoin.

After Berezan was extradited to the United States in December 2020, investigators searching his electronic devices said they found “significant evidence of his involvement in ransomware activity.”

“The post-extradition investigation determined that Berezan had participated in at least 13 ransomware attacks, 7 of which were against U.S. victims, and that approximately $11 million in ransom payments flowed into cryptocurrency wallets that he controlled,” reads a statement from the U.S. Department of Justice.

Berezan pleaded guilty in April 2021 to conspiracy to commit wire fraud.

The DirectConnection cybercrime forum, circa 2011.

For many years on DirectConnection and other crime forums, Berezan went by the hacker alias “Albanec.” Investigators close to the case told KrebsOnSecurity that Albanec was involved in multiple so-called “unlimited” cashouts, a highly choreographed, global fraud scheme in which crooks hack a bank or payment card processor and used cloned payment cards at cash machines around the world to fraudulently withdraw millions of dollars in just a few hours.

Berezan joins a growing list of top cybercriminals from DirectConnection who’ve been arrested and convicted of cybercrimes since the forum disappeared years ago. One of Albanec’s business partners on the forum was Sergey “Flycracker” Vovnenko, a Ukrainian man who once ran his own cybercrime forum and who in 2013 executed a plot to have heroin delivered to our home in a bid to get Yours Truly arrested for drug possession. Vovnenko was later arrested, extradited to the United States, pleaded guilty and spent more than three years in prison on botnet-related charges (Vovnenko is now back in Ukraine, trying to fight the Russian invasion with his hacking abilities).

Perhaps the most famous DirectConnection member was its administrator Aleksei Burkov, a Russian hacker thought to be so connected to the Russian cybercriminal scene that he was described as an “asset of extreme importance to Moscow.” Burkov was arrested in Israel in 2015, and the Kremlin arrested an Israeli woman on trumped-up drug charges to force a prisoner swap.

That effort failed. Burkov was extradited to the U.S. in 2019, soon pleaded guilty, and was sentenced to nine years. However, he was recently deported back to Russia prior to serving his full sentence, which has prompted Republican leaders in the House to question why.

Other notable cybercrooks from DirectConnection who’ve been arrested, extradited to the U.S. and sentenced to prison include convicted credit card fraudsters Vladislav “Badb” Horohorin and Sergey “zo0mer” Kozerev, as well as the infamous spammer and botnet master Peter “Severa” Levashov.

At his sentencing today, Berezan was sentenced to 66 months in prison and ordered to pay $36 million in restitution to his victims.

Winnie The Pooh Baby Clothes – You Can’t Go Wrong With These!

You can’t go wrong when you dress your baby in Winnie the Pooh baby clothes. After all, who can resist that lovable, huggable bear? Pooh is one of the most popular cartoon characters for babies, and with good reason – he’s irresistibly cute!

There are many styles and designs of Winnie the Pooh baby clothes to choose from. You can find everything from sleepers and rompers to shirts and hats. No matter what you’re looking for, you’ll find it in Pooh’s clothing line.

One of the great things about Winnie the Pooh baby clothes is that they are very affordable, and you can find some fantastic deals on quality clothes that will keep your child looking cute all year long. So what are you waiting for? Dress your baby in Pooh and watch them light up with happiness!

One of the great things about Winnie the Pooh baby clothes is that they’re not just for babies. You can also find toddler and even adult sizes. So, if you want to dress your whole family in Winnie the Pooh clothes, you can!

The Best Winnie The Pooh Baby Clothes On Amazon

If you’re looking for a great deal on Winnie the Pooh clothes, you’ll definitely want to check out Amazon. They have a vast selection of Pooh clothes for both babies and adults, and they often have sales or discounts available. Plus, if you have Amazon Prime, you can get free shipping on your order!

We’ve scoured the website to find the cutest, most stylish, and most affordable Pooh clothes for your little one.

Take a look at our top picks, and get ready to dress your baby in the cutest clothes!

Amazon Essentials Disney Family Matching Pajama Sleep Sets

These pajamas are soft, comfortable, and perfect for a lazy day at home. You can find rompers and one-piece pajamas with snaps for easy dressing for a baby or a toddler.

For adults, you have long sleeve top and pants. Your child will love being able to match Mommy and Daddy!

The fabric is very soft and breathable. These PJs are machine-washable and come in a variety of sizes. They’re also affordably priced so that you can stock up on a few sets.

Disney Winnie The Pooh Sleeper for Baby

If you’re looking for a super-soft, comfy sleeper for your baby, look no further than this one from Disney. It’s made of super soft fleece and has a cute Pooh bear on the front.

The sleeper is designed to keep your baby warm and comfortable all night long. Long sleeves and legs help to keep them cozy, and the front zipper makes it easy to get your baby in and out.

Non-skid feet help to prevent your baby from slipping and sliding. This sleeper stole our hearts with its design, comfort, and affordability.

Winnie The Pooh Baby Toddler Girls Fit and Flare Ultra Soft Dress

Winnie the Pooh dress will make any little girl smile! This adorable dress includes her favorite Winnie the Pooh characters: Pooh Bear, Piglet, Eeyore, Owl, Rabbit, and Tigger! Pooh and friends are printed all over the dress, and it has a ruffle trim. The dress’s bodice is fitted, while a skirt flares out from the waist to create a flattering silhouette.

This dress is perfect for any special occasion or just because. It’s machine-washable and comes in a variety of sizes. We love that it’s both cute and affordable!

The Winnie The Pooh dress is made from 95% polyester and 5% spandex. This lovely dress is made of buttery soft polyester fabric with a stretchy elastic waistband that is inside-lined. Matching bloomer diaper covers are available for the baby sizes!

Komar Kids Girls’ Disney Baby Footed Sleep & Play

The Disney Winnie the Pooh Sleeper is lovely, comfy, and has a zipper guard to keep your infant’s skin safe while playing and sleeping.

The quality of this sleeper is exceptional, and it’s made of 100% cotton that’s smooth, comfy, and will help your baby get a good night’s sleep. It is also ideal for relaxing in comfort!

This sleeper adheres to safety regulations that are so important when baby products are considered.

Disney Winnie The Pooh First Birthday Layette Set

The first birthday is easily the most important milestone in a baby’s life, so make sure you’re prepared with this adorable Winnie the Pooh set!

Your little honey will be celebrating in style with this Winnie the Pooh first birthday set. The set includes a bodysuit and socks to keep them comfy and cozy and a bib with self-stick fabric closure to keep them neat when the cake is served. Long sleeve bodysuit features Winnie the Pooh with a balloon and “1” applique.

This set is machine washable and super affordable, so you can use it again for your next baby if you wish!

LLmoway Kids Baby Toddler Infant Knit Hat Beanie Cap

This LLmoway baby beanie is too cute! It features 3D ears that will make your baby look like their transformed into Winnie The Pooh!

We love the adorable design. It’s made of high-quality, soft knit material to keep your little one’s head warm all winter long.

A Summary – Winnie The Pooh Clothing For Infants And Toddlers

If you’re looking for clothing for your infant or toddler that features everyone’s favorite honey-loving bear, Winnie the Pooh, we’ve got you covered. We’ve found some of the cutest and most affordable items available today.

Our top picks include a super-soft sleeper, an adorable footed sleep and play, a first birthday set, and a cozy knit beanie. These items are made from high-quality materials and adhere to safety regulations, so you can rest assured that your child is dressed in the best of the best.

We hope you enjoy these products as much as we do!

The post Winnie The Pooh Baby Clothes – You Can’t Go Wrong With These! appeared first on Comfy Bummy.

A Closer Look at the LAPSUS$ Data Extortion Group

Microsoft and identity management platform Okta both this week disclosed breaches involving LAPSUS$, a relatively new cybercrime group that specializes in stealing data from big companies and threatening to publish it unless a ransom demand is paid. Here’s a closer look at LAPSUS$, and some of the low-tech but high-impact methods the group uses to gain access to targeted organizations.

First surfacing in December 2021 with an extortion demand on Brazil’s Ministry of Health, LAPSUS$ made headlines more recently for posting screenshots of internal tools tied to a number of major corporations, including NVIDIA, Samsung, and Vodafone.

On Tuesday, LAPSUS$ announced via its Telegram channel it was releasing source code stolen from Microsoft. In a blog post published Mar. 22, Microsoft said it interrupted the LAPSUS$ group’s source code download before it could finish, and that it was able to do so because LAPSUS$ publicly discussed their illicit access on their Telegram channel before the download could complete.

One of the LAPSUS$ group members admitted on their Telegram channel that the Microsoft source code download had been interrupted.

“This public disclosure escalated our action allowing our team to intervene and interrupt the actor mid-operation, limiting broader impact,” Microsoft wrote. “No customer code or data was involved in the observed activities. Our investigation has found a single account had been compromised, granting limited access. Microsoft does not rely on the secrecy of code as a security measure and viewing source code does not lead to elevation of risk.”

While it may be tempting to dismiss LAPSUS$ as an immature and fame-seeking group, their tactics should make anyone in charge of corporate security sit up and take notice. Microsoft says LAPSUS$ — which it boringly calls “DEV-0537” — mostly gains illicit access to targets via “social engineering.” This involves bribing or tricking employees at the target organization or at its myriad partners, such as customer support call centers and help desks.

“Microsoft found instances where the group successfully gained access to target organizations through recruited employees (or employees of their suppliers or business partners),” Microsoft wrote. The post continues:

“DEV-0537 advertised that they wanted to buy credentials for their targets to entice employees or contractors to take part in its operation. For a fee, the willing accomplice must provide their credentials and approve the MFA prompt or have the user install AnyDesk or other remote management software on a corporate workstation allowing the actor to take control of an authenticated system. Such a tactic was just one of the ways DEV-0537 took advantage of the security access and business relationships their target organizations have with their service providers and supply chains.”

The LAPSUS$ Telegram channel has grown to more than 45,000 subscribers, and Microsoft points to an ad LAPSUS$ posted there offering to recruit insiders at major mobile phone providers, large software and gaming companies, hosting firms and call centers.

Sources tell KrebsOnSecurity that LAPSUS$ has been recruiting insiders via multiple social media platforms since at least November 2021. One of the core LAPSUS$ members who used the nicknames “Oklaqq” and “WhiteDoxbin” posted recruitment messages to Reddit last year, offering employees at AT&T, T-Mobile and Verizon up to $20,000 a week to perform “inside jobs.”

LAPSUS$ leader Oklaqq a.k.a. “WhiteDoxbin” offering to pay $20,000 a week to corrupt employees at major mobile providers.

Many of LAPSUS$’s recruitment ads are written in both English and Portuguese. According to cyber intelligence firm Flashpoint, the bulk of the group’s victims (15 of them) have been in Latin America and Portugal.

“LAPSUS$ currently does not operate a clearnet or darknet leak site or traditional social media accounts—it operates solely via Telegram and email,” Flashpoint wrote in an analysis of the group. “LAPSUS$ appears to be highly sophisticated, carrying out increasingly high-profile data breaches. The group has claimed it is not state-sponsored. The individuals behind the group are likely experienced and have demonstrated in-depth technical knowledge and abilities.”

Microsoft said LAPSUS$ has been known to target the personal email accounts of employees at organizations they wish to hack, knowing that most employees these days use some sort of VPN to remotely access their employer’s network.

“In some cases, [LAPSUS$] first targeted and compromised an individual’s personal or private (non-work-related) accounts giving them access to then look for additional credentials that could be used to gain access to corporate systems,” Microsoft wrote. “Given that employees typically use these personal accounts or numbers as their second-factor authentication or password recovery, the group would often use this access to reset passwords and complete account recovery actions.”

In other cases, Microsoft said, LAPSUS$ has been seen calling a target organization’s help desk and attempting to convince support personnel to reset a privileged account’s credentials.

“The group used the previously gathered information (for example, profile pictures) and had a native-English-sounding caller speak with the help desk personnel to enhance their social engineering lure,” Microsoft explained. “Observed actions have included DEV-0537 answering common recovery prompts such as “first street you lived on” or “mother’s maiden name” to convince help desk personnel of authenticity. Since many organizations outsource their help desk support, this tactic attempts to exploit those supply chain relationships, especially where organizations give their help desk personnel the ability to elevate privileges.”

LAPSUS$ recruiting insiders via its Telegram channel.

SIM-SWAPPING PAST SECURITY

Microsoft said LAPSUS$ also has used “SIM swapping” to gain access to key accounts at target organizations. In a fraudulent SIM swap, the attackers bribe or trick mobile company employees into transferring a target’s mobile phone number to their device. From there, the attackers can intercept any one-time passwords sent to the victim via SMS or phone call. They can also then reset the password for any online account that allows password resets via a link sent over SMS.

“Their tactics include phone-based social engineering; SIM-swapping to facilitate account takeover; accessing personal email accounts of employees at target organizations; paying employees, suppliers, or business partners of target organizations for access to credentials and multifactor authentication (MFA) approval; and intruding in the ongoing crisis-communication calls of their targets,” Microsoft wrote.

Allison Nixon is chief research officer at Unit 221B, a cybersecurity consultancy based in New York that closely tracks cybercriminals involved in SIM-swapping. Working with researchers at security firm Palo Alto Networks, Nixon has been tracking individual members of LAPSUS$ prior to their forming the group, and says the social engineering techniques adopted by the group have long been abused to target employees and contractors working for the major mobile phone companies.

“LAPSUS$ may be the first to make it extremely obvious to the rest of the world that there are a lot of soft targets that are not telcos,” Nixon said. “The world is full of targets that are not used to being targeted this way.”

Microsoft says LAPSUS$ also has been known to gain access to victim organizations by deploying the “Redline” password-stealing malware, searching public code repositories for exposed passwords, and purchasing credentials and session tokens from criminal forums.

That last bit is interesting because Nixon said it appears at least one member of LAPSUS$ also was involved in the intrusion at game maker Electronic Arts (EA) last year, in which extortionists demanded payment in exchange for a promise not to publish 780 GB worth of source code. In an interview with Motherboard, the hackers claimed to have gained access to EA’s data after purchasing authentication cookies for an EA Slack channel from a dark web marketplace called Genesis.

“The hackers said they used the authentication cookies to mimic an already-logged-in EA employee’s account and access EA’s Slack channel and then trick an EA IT support staffer into granting them access to the company’s internal network,” wrote Catalin Cimpanu for The Record.

Why is Nixon convinced LAPSUS$ was behind the EA attack? The “WhiteDoxbin/Oklaqq” identity referenced in the first insider recruitment screenshot above appears to be the group’s leader, and it has used multiple nicknames across many Telegram channels. However, Telegram lumps all aliases for an account into the same Telegram ID number.

Back in May 2021, WhiteDoxbin’s Telegram ID was used to create an account on a Telegram-based service for launching distributed denial-of-service (DDoS) attacks, where they introduced themself as “@breachbase.” News of EA’s hack last year was first posted to the cybercriminal underground by the user “Breachbase” on the English-language hacker community RaidForums, which was recently seized by the FBI.

WHO IS LAPSUS$?

Nixon said WhiteDoxbin — LAPSUS$’s apparent ringleader — is the same individual who last year purchased the Doxbin, a long-running, text-based website where anyone can post the personal information of a target, or find personal data on hundreds of thousands who have already been “doxed.”

Apparently, Doxbin’s new owner failed to keep the site functioning smoothly, because top Doxbin members had no problems telling WhiteDoxbin how unhappy they were with his stewardship.

“He wasn’t a good administrator, and couldn’t keep the website running properly,” Nixon said. “The Doxbin community was pretty upset, so they started targeting him and harassing him.”

Nixon said that in January 2022, WhiteDoxbin reluctantly agreed to relinquish control over Doxbin, selling the forum back to its previous owner at a considerable loss. However, just before giving up the forum, WhiteDoxbin leaked the entire Doxbin data set (including private doxes that had remained unpublished on the site as drafts) to the public via Telegram.

The Doxbin community responded ferociously, posting on WhiteDoxbin perhaps the most thorough dox the community had ever produced, including videos supposedly shot at night outside his home in the United Kingdom.

According to the denizens of Doxbin, WhiteDoxbin started out in the business of buying and selling zero-day vulnerabilities, security flaws in popular software and hardware that even the makers of those products don’t yet know about.

“[He] slowly began making money to further expand his exploit collection,” reads his Doxbin entry. “After a few years his net worth accumulated to well over 300BTC (close to $14 mil).”

WhiteDoxbin’s Breachbase identity on RaidForums at one point in 2020 said they had a budget of $100,000 in bitcoin with which to buy zero-day flaws in Github, Gitlab, Twitter, Snapchat, Cisco VPN, Pulse VPN and other remote access or collaboration tools.

“My budget is $100000 in BTC,” Breachbase told Raidforums in October 2020. “Person who directs me to someone will get $10000 BTC. Reply to thread if you know anyone or anywhere selling this stuff. NOTE: The 0day must have high/critical impact.”

KrebsOnSecurity is not publishing WhiteDoxbin’s alleged real name because he is a minor (currently aged 17), and because this person has not officially been accused of a crime. Also, the Doxbin entry for this individual includes personal information on his family members.

Nixon said that prior to launching LAPSUS$, WhiteDoxbin was a founding member of a cybercriminal group calling itself the “Recursion Team.” According to the group’s now-defunct website, they mostly specialized in SIM swapping targets of interest and participating in “swatting” attacks, wherein fake bomb threats, hostage situations and other violent scenarios are phoned in to police as part of a scheme to trick them into visiting potentially deadly force on a target’s address.

“The team is made up of Cyber-enthusiasts who major in skills including security penetration, software development, and botting,” reads the now-defunct Recursion Team website. “We plan to have a bright future, and we hope you do too!”

Decoding the Fourth Round of MITRE Engenuity ATT&CK® Enterprise (Wizard Spider and Sandworm) Evaluations

The next round of MITRE Engenuity ATT&CK evaluation results is around the corner, and the participating vendors everywhere are starting to ramp up the marketing machine to create a noise about it. MITRE Engenuity is clear that they don’t declare a “winner” and do not assign overall scores, rankings, or ratings to the vendors or their cybersecurity technology. Instead, they’re very transparent assessments of all the detections a given security solution has produced for different stages of a specific adversary’s attacks and present the evaluation results based on four separate but related categories of visibility and detection.

Coinciding with the published results is a barrage of various vendor positioning blogs and PR that claim the “win”, making the results hard to navigate and understand. All the positioning among vendors does not help security teams get what they really need: information on leveraging the results to advance their security objectives.

In this post, we explain what you need to know about the latest MITRE Engenuity ATT&CK evaluation, what that evaluation means to your business, and how you can implement it to better understand and use the security tools at your disposal.

The ATT&CK Framework

MITRE has become the common language of EDR and is the de facto way to evaluate a product’s ability to provide actionable information to the SOC. For three years now, MITRE Engenuity has conducted independent evaluations of cybersecurity products to help the industry and government institutions make better decisions to combat security threats and improve their threat detection capabilities. Leveraging the ATT&CK framework, evaluations assess various vendors on their ability to automatically detect and respond to real-life cyberattacks within the context of the ATT&CK framework.

MITRE Engenuity ATT&CK Enterprise 4 Testing

The latest round of evaluations is called ‘Enterprise 4’ evaluations. Through the lens of the MITRE ATT&CK ®knowledge base, MITRE Engenuity focused on two threat actors, Wizard Spider and Sandworm, for this Enterprise 4 Evaluation. These two threat actors were chosen based on their complexity, relevancy to the market, and how well MITRE Engenuity’s staff can fittingly emulate the adversary.

  • Wizard Spider is a financially motivated criminal group that has been conducting ransomware campaigns since August 2018 against a variety of organizations, ranging from major corporations to hospitals.

  • Sandworm is a destructive Russian threat group that is known for carrying out notable attacks such as the 2015 and 2016 targeting of Ukrainian electrical companies and 2017’s NotPetya attacks.

The Evals team chose to emulate two threat groups that abuse the Data Encrypted For Impact (T1486) technique. In Wizard Spider’s case, they have leveraged data encryption for ransomware, including the widely known Ryuk malware (S0446). Sandworm, on the other hand, leveraged encryption for the destruction of data, perhaps most notably with their NotPetya malware (S0368) that disguised itself as ransomware. While the common thread to this year’s evaluations is “Data Encrypted for Impact,” both groups have substantial reporting on a broad range of post-exploitation tradecraft.

Technique Scope for Enterprise 4 Evaluations

Starting with the Wizard Spider and Sandworm evaluations, each substep will have a single detection category that represents the highest level of context provided to the analyst across all detections for that substep. If a vendor is awarded ‘technique’, which is the highest context within the Detection category, they will not be able to also claim ‘tactic’, ‘general’, or any other detections. This helps deobfuscate and simplify vendor assertions of the ‘number detections’ they received.

This round of evaluations also has Protection evaluation, which was introduced in the last evaluation to determine a vendor’s ability to block key techniques and tactics rather than just identifying and logging them. The ability to detect malicious activity is important but blocking is often preferred, given the sophistication of today’s cyber threats and recognition that 100% prevention over an extended period of time is unsustainable.

Implementing MITRE Engenuity ATT&CK Evaluations to Advance Your Organization’s Security Objectives

The ATT&CK framework brings a common lexicon to stakeholders, cyber defenders, and vendors, helping us to apply intelligence to cybersecurity operations. CISOs and security teams can use the following ATT&CK framework best practices to improve their security posture.

1. Plan a Cyber Security Strategy

Use ATT&CK to plan your cyber security strategy. Build your defenses to counter the techniques known to be used against your type of organization and equip yourself with security monitoring to detect evidence of ATT&CK techniques in your network.

2. Run Adversary Emulation Plans

Use ATT&CK for Adversary Emulation Plans to improve Red team performance. Red teams can develop and deploy a consistent and highly organized approach to defining the tactics and techniques of specific threats, then logically assess their environment to see if the defenses work as expected.

3. Identify Gaps in Defenses

ATT&CK matrices can help Blue teams better understand the components of a potential or ongoing cyber attack to identify gaps in defenses and implement solutions for those gaps. ATT&CK documents suggested remediations and compensating controls for the techniques to which you are more prone.

4. Integrate Threat Intelligence

ATT&CK can effectively integrate your threat intelligence into cyber defense operations. Threats can be mapped to the specific attacker techniques to understand if gaps exist, determine risk, and develop an implementation plan to address them.

Looking Through Vendor FUD to Interpret and Understand the Results

A pragmatic approach to the data will help you cut through the hype and make informed decisions about your organization’s security. MITRE Engenuity is clear that they don’t declare a “winner” and do not assign overall scores, rankings, or ratings to the vendors or their cybersecurity technology. Instead, they’re very transparent and present the evaluation results based on four separate but related, categories of visibility and detection so other organizations may provide their analysis and interpretation. This is preferable over heavily creative statistics derived from the data in an effort to present vendor products in a favorable light. We’ve seen some interesting claims being made relative to the ATT&CK Evals that are dubious, at best. Rather than focus on them, here’s our perspective on some of the solution capabilities you should focus on.

  • Visibility Is The Foundation To Any Superior EDR & XDR Solutions

    The foundation of an outstanding EDR & XDR solution lies in its ability to consume and correlate data at scale in an economic way by harnessing the power of the cloud. Every piece of pertinent data should be captured—with few to no misses—to provide the breadth of visibility for the SecOps team. Data, specifically capturing all events, is the building block of EDR and should be considered table stakes and a key MITRE Engenuity metric.

  • Automated Context and Correlation is Critical in Understanding the Compete Attack Story

    Correlation is the process of building relationships among atomic data points. Preferably, correlation is performed by the machine and at machine speed, so an analyst doesn’t have to manually stitch data together and waste precious time. Furthermore, this correlation should be accessible in its original context for long periods of time in case it’s needed.

  • Alert Consolidation Is Critical in Helping Unburden the SOC Teams

    More signal, less noise is a challenge for the SOC and modern IR teams who face information overload. Rather than getting alerted on every piece of telemetry within an incident and fatiguing the already-burdened SOC team, ensure that the solution automatically groups data points into consolidated alerts. Ideally, a solution can correlate related activity into unified alerts to provide campaign-level insight. This reduces the amount of manual effort needed, helps with alert fatigue, and significantly lowers the skillset barrier of responding to alerts. All of this leads to better outcomes for the SOC in the form of shorter containment times and an overall reduction in response times.

  • Delays in Detecting Alerts Can Prove Deadly Allowing Adversaries to Maximize Material Damage

    Time is a critical factor whether you’re detecting an attack or neutralizing it. You need to ask yourself how much of your data can be exfiltrated in an hour? A delayed detection during the evaluation often means that an EDR solution requires a human analyst to manually confirm suspicious activity due to the inability of the solution to do so on its own. The solution typically needs to send data to the analyst team or third-party services such as sandboxes, which in turn analyzes the data and alerts the customer, if required. However, many critical parts of this process are done manually, resulting in a window of opportunity for the adversary to do real damage. Adversaries operating at high speed must be countered with machine speed automation that’s not subject to the inherent slowness of humans.

Looking Ahead

At SentinelOne, we continue to be enthusiastic supporters for the work MITRE Engenuity is doing to painstakingly define and continually expand a common cybersecurity language that describes how adversaries operate. This matters to you because ATT&CK Evaluations is a unifier and a force multiplier for the people on security’s front line who work tirelessly defending their infrastructure and assets from unscrupulous adversaries looking to turn a quick buck, wreak havoc, or steal a life’s work.

We are excited to announce the details of SentinelOne’s participation in the Fourth Round of MITRE Engenuity ATT&CK® Enterprise Evaluations, and we will be posting the results when available. In the meantime, if you’d like to learn more about how the SentinelOne Singularity platform can help your organization achieve these goals, contact us for more information, request a free demo or register for the MITRE Evaluations webinar below.

Decoding the 4th Round of MITRE Engenuity ATT&CK® Enterprise Evaluations
Webinar: Thursday March 31st at 2:00 p.m. (PDT)

‘Spam Nation’ Villain Vrublevsky Charged With Fraud

Pavel Vrublevsky, founder of the Russian payment technology firm ChronoPay and the antagonist in my 2014 book “Spam Nation,” was arrested in Moscow this month and charged with fraud. Russian authorities allege Vrublevsky operated several fraudulent SMS-based payment schemes, and facilitated money laundering for Hydra, the largest Russian darknet market. But according to information obtained by KrebsOnSecurity, it is equally likely Vrublevsky was arrested thanks to his propensity for carefully documenting the links between Russia’s state security services and the cybercriminal underground.

An undated photo of Vrublevsky at his ChronoPay office in Moscow.

ChronoPay specializes in providing access to the global credit card networks for “high risk” merchants — businesses involved in selling services online that tend to generate an unusually large number of chargebacks and reports of fraud, and hence have a higher risk of failure.

When I first began writing about Vrublevsky in 2009 as a reporter for The Washington Post, ChronoPay and its sister firm Red & Partners (RNP) were earning millions setting up payment infrastructure for fake antivirus peddlers and spammers pimping male enhancement drugs.

Using the hacker alias “RedEye,” the ChronoPay CEO oversaw a burgeoning pharmacy spam affiliate program called Rx-Promotion, which paid some of Russia’s most talented spammers and virus writers to bombard the world with junk email promoting Rx-Promotion’s pill shops. RedEye also was the administrator of Crutop, a Russian language forum and affiliate program that catered to thousands of adult webmasters.

In 2013, Vrublevsky was sentenced to 2.5 years in a Russian penal colony for convincing one of his top affiliates to launch a distributed denial-of-service (DDoS) attack against a competitor that shut down the ticketing system for the state-owned Aeroflot airline.

Following his release from jail, Vrublevsky began working on a new digital payments platform based in Hong Kong called HPay Ltd (a.k.a. Hong Kong Processing Corporation). HPay appears to have had a great number of clients that were running schemes which bamboozled people with fake lotteries and prize contests.

According to Russian prosecutors, the scam went like this: Consumers would receive an SMS with links to sites that falsely claimed a number of well-known companies were sponsoring drawings and lotteries for people who enrolled or agreed to answer surveys. All who responded were told they were winners, but also that they had to pay a commission to pick up the prize. That scheme allegedly stole 500 million rubles (~ USD $4.5 million) from over 100,000 consumers.

There are scant public records that show a connection between ChronoPay and HPay, apart from the fact that the latter’s website — hpay[.]io — was originally hosted on the same server (185.180.196.74) along with a handful of other domains, including Vrublevsky’s personal website rnp[.]com.

But then earlier this month, KrebsOnSecurity received a large amount of information that was stolen from ChronoPay recently when hackers managed to compromise the company’s Confluence server. Confluence is a web-based corporate wiki platform, and ChronoPay used their Confluence installation to document in exquisite detail how it creatively distributes the risk associated with high-risk processing by routing transactions through a myriad of shell companies and third-party processors.

A Google-translated snippet of the hacked ChronoPay Confluence installation. Click to enlarge.

Incredibly, Vrublevsky himself appears to have used ChronoPay’s Confluence wiki to document his entire 20+ years of personal and professional history in the high-risk payments space, including the company’s most recent forays with HPay. The latest document in the hacked archive is dated April 2021.

These diary entries, interspersed between highly technical how-tos, are all written in Russian and in the third person. But they are unmistakably Vrublevsky’s words: Some of the elaborate stories in the wiki were identical to theories that Vrublevsky himself espoused to me throughout hundreds of hours of phone interviews. Also, in some of the entries the narrator switches from “he” to “I” when describing the actions of Vrublevsky.

Vrublevsky’s memoire/wiki invokes the nicknames and real names of Russian hackers who worked with the protection of corrupt officials in the Russian Federal Security Service (FSB), the successor agency to the Soviet KGB. In several diary entries, Vrublevsky writes about various cybercriminals and Russian law enforcement officials involved in processing credit card payments tied to online gambling sites.

Russian banks are prohibited from processing payments for online gambling, and as a result many online gaming sites catering to Russian speakers have chosen to process credit card payments through Ukrainian financial institutions.

That’s according to Vladislav “BadB” Horohorin, the convicted cybercriminal who shared the ChronoPay Confluence data with KrebsOnSecurity. In February 2017, Horohorin was released after serving four years in a U.S. prison for his role in the 2009 theft of more than $9 million from RBS Worldpay.

Horohorin said Vrublevsky has been using his knowledge of the card processing networks to extort people in the online gambling industry who may run afoul of Russian laws.

“Russia has strict regulations against processing for the gambling business,” Horohorin said. “While Russian banks can’t do it, Ukrainian ones can, so we have Ukrainian banks processing gambling and casinos, which mostly Russian gamblers use. What Pavel does is he blackmails those Ukrainian banks using his connections and knowledge. Some pay, some don’t. But some people are not very tolerant of that kind of abuse.”

A native of Donetsk, Ukraine, Horohorin told KrebsOnSecurity he hacked and shared the ChronoPay Confluence installation because Vrublevsky had threatened a family member. Horohorin believes Vrublevsky secretly operated the “bad bank” channel on Telegram, which calls attention to online gambling operations that are violating Visa and MasterCard regulations (violations that can bring the violator hundreds of thousands of dollars in fines).

“Pavel scrupulously wrote his diary for a long time, and there is a lot of information on the people he knows,” Horohorin told KrebsOnSecurity. “My understanding is he wrote this in order to blackmail people later. There is a lot of interesting stuff, a lot of names and a lot of very intimate info about Russian card processing market, as well as Pavel’s own escapades.”

ChronoPay’s hacked Confluence server contains many diary entries about major players in the Russian online gambling and bookmaking industries.

Among the escapades recounted in the ChronoPay founder’s diaries are multiple stories involving the self-proclaimed “King of Fraud!” Aleksandr “Nastra” Zhukov, a Russian national who ran an advertising fraud network dubbed “Methbot” that stole $7 million from publishers through bots made to look like humans watching videos online.

The journal explains that Zhukov lived with a ChronoPay employee and had a great deal of interaction with ChronoPay’s high-risk department, so much so that Zhukov at one point gave Vrublevsky a $100,000 jeweled watch as a gift. Zukhov was arrested in Bulgaria in 2018 and extradited to the United States. Following a jury trial in New York that ended last year, Zhukov was sentenced to 10 years in prison.

According to the Russian news outlet Kommersant, Vrublevsky and company operated “Inferno Pay,” a payments portal that worked with Hydra, the largest Russian darknet market for illicit goods, including drug trafficking, malware, and counterfeit money and documents.

Inferno Pay, a cryptocurrency and payment API allegedly operated by the ChronoPay CEO.

“The services of Inferno Pay, whose commission came to 30% of the transaction, were actively used by online casinos,” Kommersant wrote on Mar. 12.

The drama surrounding Vrublevsky’s most recent arrest is reminiscent of events leading up to his imprisonment nearly a decade ago, when several years’ worth of ChronoPay internal emails were leaked online.

Kommersant said Russian authorities also searched the dwelling of Dmitry Artimovich, a former ChronoPay director who along with his brother Igor was responsible for running the Festi botnet, the same spam botnet that was used for years to pump out junk emails promoting Vrublevsky’s pharmacy affiliate websites. Festi also was the botnet used in the DDoS attack that sent Vrubelvsky to prison for two years in 2013.

Artimovich says he had a falling out with Vrublevsky roughly five years ago, and he’s been suing the company ever since. In a message to KrebsOnSecurity, Artimovich said while Vrublevsky was involved in a lot of shady activities, he doubts Vrublevksy’s arrest was really about SMS payment scams as the government claims.

“I do not think that it was a reason for his arrest,” Artimovich said. “Our law enforcement usually don’t give a shit about sites like this. And I don’t think that Vrublevsky made much money there. I believe he angered some high-ranking person. Because the scale of the case is much larger than Aeroflot. Police made search of 22 people. Illegal seizure of money, computers.”

The Hydra darknet market. Image: bitcoin.com