Fulton County, Security Experts Call LockBit’s Bluff

The ransomware group LockBit told officials with Fulton County, Ga. they could expect to see their internal documents published online this morning unless the county paid a ransom demand. LockBit removed Fulton County’s listing from its victim shaming website this morning, claiming the county had paid. But county officials said they did not pay, nor did anyone make payment on their behalf. Security experts say LockBit was likely bluffing and probably lost most of the data when the gang’s servers were seized this month by U.S. and U.K. law enforcement.

The LockBit website included a countdown timer until the promised release of data stolen from Fulton County, Ga. LockBit would later move this deadline up to Feb. 29, 2024.

LockBit listed Fulton County as a victim on Feb. 13, saying that unless it was paid a ransom the group would publish files stolen in a breach at the county last month. That attack disrupted county phones, Internet access and even their court system. LockBit leaked a small number of the county’s files as a teaser, which appeared to include sensitive and sealed court records in current and past criminal trials.

On Feb. 16, Fulton County’s entry — along with a countdown timer until the data would be published — was removed from the LockBit website without explanation. The leader of LockBit told KrebsOnSecurity this was because Fulton County officials had engaged in last-minute negotiations with the group.

But on Feb. 19, investigators with the FBI and the U.K.’s National Crime Agency (NCA) took over LockBit’s online infrastructure, replacing the group’s homepage with a seizure notice and links to LockBit ransomware decryption tools.

In a press briefing on Feb. 20, Fulton County Commission Chairman Robb Pitts told reporters the county did not pay a ransom demand, noting that the board “could not in good conscience use Fulton County taxpayer funds to make a payment.”

Three days later, LockBit reemerged with new domains on the dark web, and with Fulton County listed among a half-dozen other victims whose data was about to be leaked if they refused to pay. As it does with all victims, LockBit assigned Fulton County a countdown timer, saying officials had until late in the evening on March 1 until their data was published.

LockBit revised its deadline for Fulton County to Feb. 29.

LockBit soon moved up the deadline to the morning of Feb. 29. As Fulton County’s LockBit timer was counting down to zero this morning, its listing disappeared from LockBit’s site. LockBit’s leader and spokesperson, who goes by the handle “LockBitSupp,” told KrebsOnSecurity today that Fulton County’s data disappeared from their site because county officials paid a ransom.

“Fulton paid,” LockBitSupp said. When asked for evidence of payment, LockBitSupp claimed. “The proof is that we deleted their data and did not publish it.”

But at a press conference today, Fulton County Chairman Robb Pitts said the county does not know why its data was removed from LockBit’s site.

“As I stand here at 4:08 p.m., we are not aware of any data being released today so far,” Pitts said. “That does not mean the threat is over. They could release whatever data they have at any time. We have no control over that. We have not paid any ransom. Nor has any ransom been paid on our behalf.”

Brett Callow, a threat analyst with the security firm Emsisoft, said LockBit likely lost all of the victim data it stole before the FBI/NCA seizure, and that it has been trying madly since then to save face within the cybercrime community.

“I think it was a case of them trying to convince their affiliates that they were still in good shape,” Callow said of LockBit’s recent activities. “I strongly suspect this will be the end of the LockBit brand.”

Others have come to a similar conclusion. The security firm RedSense posted an analysis to Twitter/X that after the takedown, LockBit published several “new” victim profiles for companies that it had listed weeks earlier on its victim shaming site. Those victim firms — a healthcare provider and major securities lending platform — also were unceremoniously removed from LockBit’s new shaming website, despite LockBit claiming their data would be leaked.

“We are 99% sure the rest of their ‘new victims’ are also fake claims (old data for new breaches),” RedSense posted. “So the best thing for them to do would be to delete all other entries from their blog and stop defrauding honest people.”

Callow said there certainly have been plenty of cases in the past where ransomware gangs exaggerated their plunder from a victim organization. But this time feels different, he said.

“It is a bit unusual,” Callow said. “This is about trying to still affiliates’ nerves, and saying, ‘All is well, we weren’t as badly compromised as law enforcement suggested.’ But I think you’d have to be a fool to work with an organization that has been so thoroughly hacked as LockBit has.”

Simplifying the Security Analyst Experience with Open Cybersecurity Schema Framework (OCSF)

In this blog, we dive into how the Open Cybersecurity Schema Framework (OCSF) improves the security analyst experience. By standardizing third party cybersecurity data through OCSF, SentinelOne enhances efficiency and effectiveness, enabling customers like Liberty Group to prioritize security operations over data acquisition challenges.

This exploration offers insights into the real-world benefits and potential of OCSF in elevating the cybersecurity landscape.

Understanding the OCSF Framework

The Open Cybersecurity Schema Framework (OCSF) is designed to standardize and streamline the way cybersecurity data is structured and shared across different security tools and platforms, enhancing interoperability and efficiency in threat detection, analysis, and response. It’s tackling a fundamental challenge in the security analytics space: the absence of a common, agreed-upon format and data model for logs and alerts across vendors. This lack of standard language in cybersecurity tooling and services creates a challenge for cybersecurity professionals and a lot of manual work.

The OCSF approach emphasizes both proactive defense and reactive response to cyber threats. With the goal of fostering adaptability and resilience in modern enterprises, OCSF works by integrating open systems for flexibility with closed systems for confidentiality and integrity. Combining these elements enables enterprises to be dynamic; adjusting quickly to evolving threats while balancing protection with the needs of the business.

Without the OCSF, security teams must compile data from multiple entities and standardize it to collect meaningful insights. This makes OCSF standardization crucial for the long-term health of defenders. It is a critical first step towards reducing the time and effort it takes to standardize security telemetry and log activity across tools and services, regardless of vendor.

We’re Committed to Making Things Easier with OCSF

SentinelOne’s goal is to improve efficiency and effectiveness of the analyst experience across the incident lifecycle. We recognize that the shift to adopting the OCSF makes the job of security analysts easier and simpler — ultimately supporting their ability to protect the organization from attacks. That’s why we’re committed to the OCSF and are leading the way by building this open standard into our Security AI platform from the ground up.

The Singularity Platform is a unified security AI platform, bringing a single agent, data lake, and console together for security operations. Singularity Data Lake powers this platform at every level. Using the Singularity Marketplace, customers can access a wide range of data connectors that transform third party data sources to OCSF standards, out-of-the-box, with no manual coding or extensive development required.

Singularity Data Lake is a cloud-native, high-performance, and scalable data lake that operates on a massively parallel query engine. It breaks down complex queries and runs computations simultaneously before returning answers to analysts with ~96% return rate on queries within a second. That’s up to 10x faster than legacy SIEM and XDR providers.

Adopting OCSF open standards allow for data portability, ensuring that organizations can future-proof their security tooling. You never know what’s needed next to secure the business, and building on a common data language gives businesses the confidence to add to Singularity Platform as the central hub for security operations. With OCSF, Singularity Data Lake provides the platform for future innovation.

A Real-World Scenario | Streamlining Data Sources in the Singularity Platform

Data adhering to OCSF also streamlines the process of creating custom detections. In the Singularity Platform, custom detections are named STAR rules (Storyline Active Response) which empower security teams to create alerts by querying data they ingest into the Singularity Data Lake. Since our data conforms to OCSF, security teams can write one STAR rule that covers multiple data sources.

Let’s look at a simple STAR rule meant to track several source IP addresses across an environment that ingests logs from multiple vendor products into the Singularity Data Lake. From OCSF documentation, the standardized field name used for source IP address is src_endpoint.ip so, we’ll use that in our query. When we execute this query, notice that results from multiple vendor logs sources are automatically included (SentinelOne, Okta, and Fortinet).

The query is tuned to minimize the result set. Then, we can create a STAR rule to generate alerts without the need to specify the log source. This essentially future-proofs the STAR rule so it is effective at finding this source IP address in additional log sources added to the data lake in the future.

To ensure alerts generated by the STAR rule are acted upon immediately, we can leverage automatic response actions, such as network quarantine.

Now with OSCF, we can simplify the creation of custom rules across multiple data sources. Even when additional sources are added, this detection will persist across them all. Analysts can write rules once and apply them universally, regardless of the addition of new security data to the Singularity Data Lake.

What’s the Bottom Line?

Having a common schema for the cybersecurity industry is a significant step forward in our ability to respond to and hunt for threats. Adopting OCSF puts cyber defenders and enterprise leaders on the same page at the same time, so that ultimately they are equipped with the best tools for the job.

Leveraging OCSF, SentinelOne commits to:

  • Greater efficiency – Our commitment to the OCSF drastically cuts data processing time. Now, data is normalized from the get-go, speeding up analysis and the ability to respond to threats.
  • Comprehensive coverage – Without a common framework for cybersecurity data, there’s a risk that important information might be overlooked or misinterpreted. By adopting the OCSF, we help to ensure data is complete, so customers can accurately interpret insights, regardless of the tools they use.
  • Scalability – As an organization grows, so does the complexity of its cybersecurity infrastructure. A standardized schema like the OCSF aims to provide a scalable approach to data management, so security systems can evolve without losing the ability to communicate effectively.
  • Smarter team allocation – OCSF removes the need to hire or train people on vendor specific language normalization efforts, allowing people to get back to what they’re best at — protecting the enterprise.

Liberty Group | Our Customers Are Leading the Way

Our customers are ready for the opportunity OSCF provides; customers like Owen Connolly, CISO from Liberty Group.

Owen and his team manage a vast security infrastructure to protect its steel and mining business. The real challenge, however, lies in the incredible amounts of  overhead time required to parse information between all their platforms before normalizing data across all ingested data.

In Owen’s words, “Before SentinelOne, much of our time was spent analyzing data across multiple systems due to the technical cost of getting an integrated view, rather than focusing on security operations.” He continues, “Having a platform that provides OCSF-ready data connectors is a game changer and allows my team to focus on detection, triage, investigation, and response rather than data architecture.”

Future-Proof Your Security Strategy

Here at SentinelOne, we want to do what’s right for the cybersecurity industry. When we improve the analyst experience, we empower them to focus on what matters most — defending the enterprise. Cyber defenders face an ever-changing landscape, working to stay steps ahead of malicious actors and the unknown nature of developing threats. By aligning our products to Open Source standards, we’re leveling the playing field. SentinelOne’s adoption of OCSF builds momentum towards a future where today’s leaders can plug in the tools they need without the burden of complexity to slow them down. We hope that more vendors will join us on this journey.

SentinelOne is trusted by global enterprises across a variety of industries and organizations with complex security requirements. Learn more about how Singularity Data Lake empowers businesses to centralize and transform data into actionable intelligence for cost-effective, high-performance security and log analytics here.

Calendar Meeting Links Used to Spread Mac Malware

Malicious hackers are targeting people in the cryptocurrency space in attacks that start with a link added to the target’s calendar at Calendly, a popular application for scheduling appointments and meetings. The attackers impersonate established cryptocurrency investors and ask to schedule a video conference call. But clicking the meeting link provided by the scammers prompts the user to run a script that quietly installs malware on macOS systems.

KrebsOnSecurity recently heard from a reader who works at a startup that is seeking investment for building a new blockchain platform for the Web. The reader spoke on condition that their name not be used in this story, so for the sake of simplicity we’ll call him Doug.

Being in the cryptocurrency scene, Doug is also active on the instant messenger platform Telegram. Earlier this month, Doug was approached by someone on Telegram whose profile name, image and description said they were Ian Lee, from Signum Capital, a well-established investment firm based in Singapore. The profile also linked to Mr. Lee’s Twitter/X account, which features the same profile image.

The investor expressed interest in financially supporting Doug’s startup, and asked if Doug could find time for a video call to discuss investment prospects. Sure, Doug said, here’s my Calendly profile, book a time and we’ll do it then.

When the day and time of the scheduled meeting with Mr. Lee arrived, Doug clicked the meeting link in his calendar but nothing happened. Doug then messaged the Mr. Lee account on Telegram, who said there was some kind of technology issue with the video platform, and that their IT people suggested using a different meeting link.

Doug clicked the new link, but instead of opening up a videoconference app, a message appeared on his Mac saying the video service was experiencing technical difficulties.

“Some of our users are facing issues with our service,” the message read. “We are actively working on fixing these problems. Please refer to this script as a temporary solution.”

Doug said he ran the script, but nothing appeared to happen after that, and the videoconference application still wouldn’t start. Mr. Lee apologized for the inconvenience and said they would have to reschedule their meeting, but he never responded to any of Doug’s follow-up messages.

It didn’t dawn on Doug until days later that the missed meeting with Mr. Lee might have been a malware attack. Going back to his Telegram client to revisit the conversation, Doug discovered his potential investor had deleted the meeting link and other bits of conversation from their shared chat history.

In a post to its Twitter/X account last month, Signum Capital warned that a fake profile pretending to be their employee Mr. Lee was trying to scam people on Telegram.

The file that Doug ran is a simple Apple Script (file extension “.scpt”) that downloads and executes a malicious trojan made to run on macOS systems. Unfortunately for us, Doug freaked out after deciding he’d been tricked — backing up his important documents, changing his passwords, and then reinstalling macOS on his computer. While this a perfectly sane response, it means we don’t have the actual malware that was pushed to his Mac by the script.

But Doug does still have a copy of the malicious script that was downloaded from clicking the meeting link (the online host serving that link is now offline). A search in Google for a string of text from that script turns up a December 2023 blog post from cryptocurrency security firm SlowMist about phishing attacks on Telegram from North Korean state-sponsored hackers.

“When the project team clicks the link, they encounter a region access restriction,” SlowMist wrote. “At this point, the North Korean hackers coax the team into downloading and running a ‘location-modifying’ malicious script. Once the project team complies, their computer comes under the control of the hackers, leading to the theft of funds.”

Image: SlowMist.

SlowMist says the North Korean phishing scams used the “Add Custom Link” feature of the Calendly meeting scheduling system on event pages to insert malicious links and initiate phishing attacks.

“Since Calendly integrates well with the daily work routines of most project teams, these malicious links do not easily raise suspicion,” the blog post explains. “Consequently, the project teams may inadvertently click on these malicious links, download, and execute malicious code.”

SlowMist said the malware downloaded by the malicious link in their case comes from a North Korean hacking group dubbed “BlueNoroff, which Kaspersky Labs says is a subgroup of the Lazarus hacking group.

“A financially motivated threat actor closely connected with Lazarus that targets banks, casinos, fin-tech companies, POST software and cryptocurrency businesses, and ATMs,” Kaspersky wrote of BlueNoroff in Dec. 2023.

The North Korean regime is known to use stolen cryptocurrencies to fund its military and other state projects. A recent report from Recorded Future finds the Lazarus Group has stolen approximately $3 billion in cryptocurrency over the past six years.

While there is still far more malware out there today targeting Microsoft Windows PCs, the prevalence of information-stealing trojans aimed at macOS users is growing at a steady clip. MacOS computers include X-Protect, Apple’s built-in antivirus technology. But experts say attackers are constantly changing the appearance and behavior of their malware to evade X-Protect.

“Recent updates to macOS’s XProtect signature database indicate that Apple are aware of the problem, but early 2024 has already seen a number of stealer families evade known signatures,” security firm SentinelOne wrote in January.

According to Chris Ueland from the threat hunting platform Hunt.io, the Internet address of the fake meeting website Doug was tricked into visiting (104.168.163,149) hosts or very recently hosted about 75 different domain names, many of which invoke words associated with videoconferencing or cryptocurrency. Those domains indicate this North Korean hacking group is hiding behind a number of phony crypto firms, like the six-month-old website for Cryptowave Capital (cryptowave[.]capital).

The increasing frequency of new Mac malware is a good reminder that Mac users should not depend on security software and tools to flag malicious files, which are frequently bundled with or disguised as legitimate software.

As KrebsOnSecurity has advised Windows users for years, a good rule of safety to live by is this: If you didn’t go looking for it, don’t install it. Following this mantra heads off a great deal of malware attacks, regardless of the platform used. When you do decide to install a piece of software, make sure you are downloading it from the original source, and then keep it updated with any new security fixes.

On that last front, I’ve found it’s a good idea not to wait until the last minute to configure my system before joining a scheduled videoconference call. Even if the call uses software that is already on my computer, it is often the case that software updates are required before the program can be used, and I’m one of those weird people who likes to review any changes to the software maker’s privacy policies or user agreements before choosing to install updates.

Most of all, verify new contacts from strangers before accepting anything from them. In this case, had Doug simply messaged Mr. Lee’s real account on Twitter/X or contacted Signum Capital directly, he would discovered that the real Mr. Lee never asked for a meeting.

If you’re approached in a similar scheme, the response from the would-be victim documented in the SlowMist blog post is probably the best.

Image: SlowMist.

February 2024 Cybercrime Update | Commercial Spyware, AI-Driven APTs & Flawed RMMs

February saw the U.S. government take significant actions against cybercrime, continuing the current administration’s policy of using all the resources of the state to tackle the problem head on. Nation-state actors, meanwhile, have taken to leveraging AI to enhance their operations and attacks.

In this month’s update, we also highlight a crop of CVEs in remote management and monitoring (RMM) tools that threat actors are exploiting in the wild, and as always we have the latest in ransomware updates.

Ransomware Reporting and Underreporting

February 2024 has seen several impactful ransomware attacks reported, including:

Actor Targeted Industry
LockBit Medical
BackMyData Medical
Black Basta Automotive
Cactus Manufacturing

Concerns remain, however, that many ransomware incidents are unreported. Particularly in cases where an organization is experiencing its first cybercrime incident, there may be a tendency to believe that disclosing the breach may be more damaging than paying the attackers.

For any organization feeling that pressure, it is worth reviewing advice from the NCSC about why transparency matters to victims. It is also worth reviewing Google’s journey from victim to major contributor to cyber safety: the formation of its Project Zero initiative and Threat Analysis Group were direct consequences of its experience of a cyber attack from a Chinese APT.

In a statement on January 31st, CISA Director Jan Easterly told a House Select Committee that “Every victim of a cyber incident should report it to CISA or FBI, every time, recognizing that a threat to one is a threat to many, because cybersecurity is national security”. Easterly stressed, and we couldn’t agree more, that business leaders must treat cyber risks as core business risks and recognize that “managing them is a matter of both good governance and fundamental national security”.

Software Products Under Active Exploitation

Improving the design of software products such that exploitable flaws become “a shocking anomaly” was also part of Easterly’s vision for a safer cyber future.

February saw a trend in attacks leveraging enterprise tools for remote, authenticated access, aka RMMs (Remote Monitoring and Management). Both APT groups and ‘lower tier’ crimeware actors continue to exploit vulnerabilities in Ivanti’s Connect Secure and Policy Secure products.

ConnectWise’s ScreenConnect has also been targeted for mass exploitation thanks to multiple RCE flaws that are trivial to exploit. In addition, alarm was raised this month after a response to a breach at AnyDesk found evidence of compromised production systems.

CVEs and updates that organizations are prioritizing include:

Ivanti Connect Secure CVE-2024-21893
ConnectWise ScreenConnect CVE-2024-1708
ConnectWise ScreenConnect CVE-2024-1709
AnyDesk Recommended update to 7.0.15 and 8.0.8

Emerging Trends and Tactics

AI continues to push the boundaries of cybersecurity for both attackers and defenders. On top of LLM chat assistants and natural language image generators comes Sora, the first generative AI model that can create realistic video – currently up to 60 seconds – from text prompts. According to OpenAI, “Sora is capable of generating entire videos all at once or extending generated videos to make them longer.”

The potential for deep fakes in an election year is one obvious area of concern, but the wider implications of a text-to-video service are perhaps even greater. OpenAI says it is building tools to help detect misleading content as well as reject prompts that violate usage policies, but based on the rapid proliferation of ‘evil ChatGPTs’ (see WormGPT, DarkGPT, and Predator AI for examples) that may be no more than a sticking plaster solution. Sora is still in beta but is currently available to red teamers to help assess the potential risks such a service could cause.

February also saw OpenAI, in conjunction with Microsoft, report on the malicious use of AI by state-affiliated threat actors. Groups associated with four different nations were discovered to be trying to leverage OpenAI for harmful purpose:

China  Charcoal Typhoon / Salmon Typhoon
Iran Crimson Sandstorm
North Korea Emerald Sleet
Russia Forest Blizzard

The use of AI by threat actors largely revolves around improving productivity and automating existing tasks that are labor intensive, such as generating social engineering content. To date, it has not been used to produce novel attacks. However, we are still very much in the early stages of understanding the capabilities of this new technology.

The fact that it is already being leveraged by both state-sponsored actors and financially-motivated cybercriminals emphasizes the need for defenders to keep pace with AI’s evolution.

We encourage defenders to review SentinelOne’s recommendations for Safe, Secure, and Trustworthy AI. For specific TTPs related to artificial intelligence systems, see the new MITRE ATLAS™ (Adversarial Threat Landscape for Artificial-Intelligence Systems) framework.

Law Enforcement & Policy | Significant Actions

The U.S government in February announced a Visa Restriction policy for individuals involved in the misuse of commercial spyware. The policy covers not only the use of spyware, but also anyone “believed to facilitate or derive financial benefit from the misuse of commercial spyware” and “developing, directing, or operationally controlling companies that furnish technologies such as commercial spyware”.

The move reflects mounting concerns about the rise of private sector offensive actors (aka hack-for-hire groups) and the safety of mobile devices.

Coordinated action by U.S. and U.K. law enforcement to disrupt LockBit operations generated plenty of headlines in the third week of February, but early signs are that the group is not down and out yet. On February 24, 2024, LockBit released a series of statements concerning the disruption.

The group claimed the FBI was unable to compromise all of their infrastructure, allowing the group to reestablish and maintain primary operations. The statements included functional links to a blog site and data portals to support their claims that the ransomware operator was still in business.

LockBit’s disruption may yet turn out to be temporary, following the trend set by direct actions against Hive, ALPHV and others.

lockbit fbi response
Excerpt of LockBit’s February 24, 2024 ‘Statement’

In further signs of an escalating, policy-driven offensive to tackle cybercrime, the United States Department of State has offered a ten million dollar bounty for information relating to Hive ransomware operators and co-conspirators. On February 9th, the U.S. Department of Justice disclosed the dismantling of Warzone RAT, the seizure of supporting data and infrastructure, and the filing of charges against key players tied to the operation.

Conclusion

Coordinated action by the U.S. and other governments is certainly having an impact on cybercriminals’ operations, but there are still more threat actors out there that we can count, and there’s a long way to go in this battle to capture, thwart and discourage digital attackers.

February’s quick takeaway for busy readers: patch before a breach occurs, and report it when it does.

To learn about how SentinelOne can help protect your organization, contact us or request a free demo.

PinnacleOne ExecBrief | China’s Hacking Ecosystem

Last week, PinnacleOne collaborated with SentinelLabs to unpack the leak of internal files from a firm (I-Soon) that contracts with Chinese government security agencies to hack global targets.

In this ExecBrief, we examine how I-Soon (上海安洵) fits into the larger Chinese hacking ecosystem and highlight key implications for business leaders.

Please subscribe to read future issues— and forward this newsletter to your colleagues to get them to sign up as well.

Feel free to contact us directly with any comments or questions: pinnacleone-info@sentinelone.com

Insight Focus: China’s Hacking Ecosystem

The leak of I-Soon’s internal files provided security researchers concrete details revealing the maturing nature of China’s cyber espionage ecosystem. The files–including chat logs between hackers offering pilfered data and complaining about poor compensation–showed explicitly how government targeting requirements drive a competitive marketplace of independent contractor hackers-for-hire. [PinnacleOne’s own Dakota Cary was in demand last week, quoted for comment in the FT, CNN, BBC, AP, Bloomberg, NBC News, NPR, Newsweek, The Record, Cyberscoop, KrebsonSecurity, DarkReading, and more.]

This company is one of many that contract with government agencies, including the Ministry of Public Security, Ministry of State Security, and People’s Liberation Army. As China’s appetite for foreign data and ambitions to become a global cyber power have grown, so has this burgeoning private industry of hackers-for-hire and an associated market for a torrent of stolen information.

What The I-Soon Leaks Show

Some of the leaks show how private operators sometimes independently–and perhaps opportunistically–exploit foreign targets, seeking a government buyer only after the data has been acquired. The chat logs from I-Soon employees demonstrate how the company, in need of cash to pad its books, conducted independent operations on the expectation (or hope) that a government customer would buy their wares. In the case presented by the chat logs, no buyer apparently materialized and such operations were the exception, not the rule. Many of the apparent victims could be tied directly to government agencies soliciting their penetration by I-Soon.

Some media outlets are overemphasizing this “entrepreneurial” data theft and sale as the overarching condition of China’s hack-for-hire market. These outlets are wrong. It is important not to over interpret the findings from this one company’s activities.

What Really Drives PRC Cyber Targeting

It remains the case that China’s national security, geopolitical, and economic objectives drive a strong set of demand signals that shape its public and private cyber operations against western targets across the full spectrum of technology and industry sectors.

Some sectors are targeted for intellectual property, scientific information, or competitive intelligence, while others fall into the military bullseye for strategic prepositioning in advance of conflict scenarios. Of course, a large effort is also devoted to domestic and overseas political monitoring, control, and repression. We see private actors like I-Soon responding with cyber solutions to meet all of these demand signals.

How PRC Political Demands Translate into Targeting Requirements

China’s approach to cyberespionage incorporates broad swaths of the party-state apparatus and translates into both legal and covert activities to meet politically-defined technology targeting requirements (see graphic below).

The top-level policy document that sets the strategic demand signal is the National People’s Congress Five-Year Plan, which establishes strategic goals by sector, against which individual government ministries release their own detailed Five-Year Plans. Different industries, academic institutions, state-owned enterprises (SOEs), and provincial and municipal governments interpret these plans and operationalize them according to their own, wildly diverse, policy processes.

The two most important ministries for technology development (and cyberespionage targeting requirements) are the Ministry of Science and Technology (MOST) and the Ministry of Industry and Information Technology (MIIT). These ministries oversee an archipelago of research institutes and academic institutions and interact with the foreign affairs and security departments to support their efforts.

In particular, a cadre of Science and Technology Diplomats is deployed overseas to help identify and target technologies and industries of interest, while domestic academic institutions coordinate with S&T Conversion Centers to support technology transfer and indigenization activities. Meanwhile, private industry and SOEs conducting their own research efforts request assistance from MOST/MIIT and insert their own technology requirements to help shape government funding and targeting priorities.

At this level, legal means like joint venture agreements, acquisitions, and talent poaching are preferred, even if conducted with subterfuge or obfuscation via third party cut-outs. However, government research institutes, the “Seven Sons” of national defense universities, and military SOEs typically prefer illicit means. These consumers may utilize the PLA’s own hacking units or request the Ministry of State of Security (MSS) for support.

This complex web of activities generates a massive, continuous flow of internal scientific, technical, and industrial targeting requirements that drive licit and illicit technology transfer and IP theft activities. Companies like I-Soon represent the tip of the iceberg.

What This Means for Business Executives

China has a whole-of-government effort to capture market share in strategic industries, “seize the commanding heights” of emerging critical technologies, and reduce its external dependencies on adversaries while increasing adversary dependencies on China.

This is all in service of a grand strategy to climb and dominate global value chains, expand geoeconomic influence, and rewrite the economic and security architecture of the world system.

As a result, the set of sectors and firms that find themselves in the geopolitical and cyberespionage bullseye will continue to grow, as will the intensity of the offensive operations targeted against them.

As the I-Soon leaks demonstrate, it isn’t just well-resourced state-actors that firms have to contend with. The fact that underpaid, moderately skilled independent hackers can achieve as much success as the I-Soon files show should be a loud wake-up call to global executives about the resilience of their security posture.

FBI’s LockBit Takedown Postponed a Ticking Time Bomb in Fulton County, Ga.

The FBI’s takedown of the LockBit ransomware group last week came as LockBit was preparing to release sensitive data stolen from government computer systems in Fulton County, Ga. But LockBit is now regrouping, and the gang says it will publish the stolen Fulton County data on March 2 unless paid a ransom. LockBit claims the cache includes documents tied to the county’s ongoing criminal prosecution of former President Trump, but court watchers say teaser documents published by the crime gang suggest a total leak of the Fulton County data could put lives at risk and jeopardize a number of other criminal trials.

A new LockBit website listing a countdown timer until the promised release of data stolen from Fulton County, Ga.

In early February, Fulton County leaders acknowledged they were responding to an intrusion that caused disruptions for its phone, email and billing systems, as well as a range of county services, including court systems.

On Feb. 13, the LockBit ransomware group posted on its victim shaming blog a new entry for Fulton County, featuring a countdown timer saying the group would publish the data on Feb. 16 unless county leaders agreed to negotiate a ransom.

“We will demonstrate how local structures negligently handled information protection,” LockBit warned. “We will reveal lists of individuals responsible for confidentiality. Documents marked as confidential will be made publicly available. We will show documents related to access to the state citizens’ personal data. We aim to give maximum publicity to this situation; the documents will be of interest to many. Conscientious residents will bring order.”

Yet on Feb. 16, the entry for Fulton County was removed from LockBit’s site without explanation. This usually only happens after the victim in question agrees to pay a ransom demand and/or enters into negotiations with their extortionists.

However, Fulton County Commission Chairman Robb Pitts said the board decided it “could not in good conscience use Fulton County taxpayer funds to make a payment.”

“We did not pay nor did anyone pay on our behalf,” Pitts said at an incident briefing on Feb. 20.

Just hours before that press conference, LockBit’s various websites were seized by the FBI and the U.K.’s National Crime Agency (NCA), which replaced the ransomware group’s homepage with a seizure notice and used the existing design of LockBit’s victim shaming blog to publish press releases about the law enforcement action.

The feds used the existing design on LockBit’s victim shaming website to feature press releases and free decryption tools.

Dubbed “Operation Cronos,” the effort involved the seizure of nearly three-dozen servers; the arrest of two alleged LockBit members; the release of a free LockBit decryption tool; and the freezing of more than 200 cryptocurrency accounts thought to be tied to the gang’s activities. The government says LockBit has claimed more than 2,000 victims worldwide and extorted over $120 million in payments.

UNFOLDING DISASTER

In a lengthy, rambling letter published on Feb. 24 and addressed to the FBI, the ransomware group’s leader LockBitSupp announced that their victim shaming websites were once again operational on the dark web, with fresh countdown timers for Fulton County and a half-dozen other recent victims.

“The FBI decided to hack now for one reason only, because they didn’t want to leak information fultoncountyga.gov,” LockBitSupp wrote. “The stolen documents contain a lot of interesting things and Donald Trump’s court cases that could affect the upcoming US election.”

A screen shot released by LockBit showing various Fulton County file shares that were exposed.

LockBit has already released roughly two dozen files allegedly stolen from Fulton County government systems, although none of them involve Mr. Trump’s criminal trial. But the documents do appear to include court records that are sealed and shielded from public viewing.

George Chidi writes The Atlanta Objective, a Substack publication on crime in Georgia’s capital city. Chidi says the leaked data so far includes a sealed record related to a child abuse case, and a sealed motion in the murder trial of Juwuan Gaston demanding the state turn over confidential informant identities.

Chidi cites reports from a Fulton County employee who said the confidential material includes the identities of jurors serving on the trial of the rapper Jeffery “Young Thug” Williams, who is charged along with five other defendants in a racketeering and gang conspiracy.

“The screenshots suggest that hackers will be able to give any attorney defending a criminal case in the county a starting place to argue that evidence has been tainted or witnesses intimidated, and that the release of confidential information has compromised cases,” Chidi wrote. “Judge Ural Glanville has, I am told by staff, been working feverishly behind the scenes over the last two weeks to manage the unfolding disaster.”

LockBitSupp also denied assertions made by the U.K.’s NCA that LockBit did not delete stolen data as promised when victims agreed to pay a ransom. The accusation is an explosive one because nobody will pay a ransom if they don’t believe the ransomware group will hold up its end of the bargain.

The ransomware group leader also confirmed information first reported here last week, that federal investigators managed to hack LockBit by exploiting a known vulnerability in PHP, a scripting language that is widely used in Web development.

“Due to my personal negligence and irresponsibility I relaxed and did not update PHP in time,” LockBitSupp wrote. “As a result of which access was gained to the two main servers where this version of PHP was installed.”

LockBitSupp’s FBI letter said the group kept copies of its stolen victim data on servers that did not use PHP, and that consequently it was able to retain copies of files stolen from victims. The letter also listed links to multiple new instances of LockBit dark net websites, including the leak page listing Fulton County’s new countdown timer.

LockBit’s new data leak site promises to release stolen Fulton County data on March 2, 2024, unless paid a ransom demand.

“Even after the FBI hack, the stolen data will be published on the blog, there is no chance of destroying the stolen data without payment,” LockBitSupp wrote. “All FBI actions are aimed at destroying the reputation of my affiliate program, my demoralization, they want me to leave and quit my job, they want to scare me because they can not find and eliminate me, I can not be stopped, you can not even hope, as long as I am alive I will continue to do pentest with postpaid.”

DOX DODGING

In January 2024, LockBitSupp told XSS forum members he was disappointed the FBI hadn’t offered a reward for his doxing and/or arrest, and that in response he was placing a bounty on his own head — offering $10 million to anyone who could discover his real name.

After the NCA and FBI seized LockBit’s site, the group’s homepage was retrofitted with a blog entry titled, “Who is LockBitSupp? The $10M question.” The teaser made use of LockBit’s own countdown timer, and suggested the real identity of LockBitSupp would soon be revealed.

However, after the countdown timer expired the page was replaced with a taunting message from the feds, but it included no new information about LockBitSupp’s identity.

On Feb. 21, the U.S. Department of State announced rewards totaling up to $15 million for information leading to the arrest and/or conviction of anyone participating in LockBit ransomware attacks. The State Department said $10 million of that is for information on LockBit’s leaders, and up to $5 million is offered for information on affiliates.

In an interview with the malware-focused Twitter/X account Vx-Underground, LockBit staff asserted that authorities had arrested a couple of small-time players in their operation, and that investigators still do not know the real-life identities of the core LockBit members, or that of their leader.

“They assert the FBI / NCA UK / EUROPOL do not know their information,” Vx-Underground wrote. “They state they are willing to double the bounty of $10,000,000. They state they will place a $20,000,000 bounty of their own head if anyone can dox them.”

TROUBLE ON THE HOMEFRONT?

In the weeks leading up to the FBI/NCA takedown, LockBitSupp became embroiled in a number of high-profile personal and business disputes on the Russian cybercrime forums.

Earlier this year, someone used LockBit ransomware to infect the networks of AN-Security, a venerated 30-year-old security and technology company based in St. Petersburg, Russia. This violated the golden rule for cybercriminals based in Russia and former soviet nations that make up the Commonwealth of Independent States, which is that attacking your own citizens in those countries is the surest way to get arrested and prosecuted by local authorities.

LockBitSupp later claimed the attacker had used a publicly leaked, older version of LockBit to compromise systems at AN-Security, and said the attack was an attempt to smear their reputation by a rival ransomware group known as “Clop.” But the incident no doubt prompted closer inspection of LockBitSupp’s activities by Russian authorities.

Then in early February, the administrator of the Russian-language cybercrime forum XSS said LockBitSupp had threatened to have him killed after the ransomware group leader was banned by the community. LockBitSupp was excommunicated from XSS after he refused to pay an arbitration amount ordered by the forum administrator. That dispute related to a complaint from another forum member who said LockBitSupp recently stiffed him on his promised share of an unusually large ransomware payout.

A posted by the XSS administrator saying LockBitSupp wanted him dead.

INTERVIEW WITH LOCKBITSUPP

KrebsOnSecurity sought comment from LockBitSupp at the ToX instant messenger ID listed in his letter to the FBI. LockBitSupp declined to elaborate on the unreleased documents from Fulton County, saying the files will be available for everyone to see in a few days.

LockBitSupp said his team was still negotiating with Fulton County when the FBI seized their servers, which is why the county has been granted a time extension. He also denied threatening to kill the XSS administrator.

“I have not threatened to kill the XSS administrator, he is blatantly lying, this is to cause self-pity and damage my reputation,” LockBitSupp told KrebsOnSecurity. “It is not necessary to kill him to punish him, there are more humane methods and he knows what they are.”

Asked why he was so certain the FBI doesn’t know his real-life identity, LockBitSupp was more precise.

“I’m not sure the FBI doesn’t know who I am,” he said. “I just believe they will never find me.”

It seems unlikely that the FBI’s seizure of LockBit’s infrastructure was somehow an effort to stave off the disclosure of Fulton County’s data, as LockBitSupp maintains. For one thing, Europol said the takedown was the result of a months-long infiltration of the ransomware group.

Also, in reporting on the attack’s disruption to the office of Fulton County District Attorney Fanny Willis on Feb. 14, CNN reported that by then the intrusion by LockBit had persisted for nearly two and a half weeks.

Finally, if the NCA and FBI really believed that LockBit never deleted victim data, they had to assume LockBit would still have at least one copy of all their stolen data hidden somewhere safe.

Fulton County is still trying to recover systems and restore services affected by the ransomware attack. “Fulton County continues to make substantial progress in restoring its systems following the recent ransomware incident resulting in service outages,” reads the latest statement from the county on Feb. 22. “Since the start of this incident, our team has been working tirelessly to bring services back up.”

The Good, the Bad and the Ugly in Cybersecurity – Week 8

The Good | LockBit Ransomware Gang Locked Down & Chinese Cyber Espionage Ecosystem Exposed

The cybersecurity community saw two valuable developments this week, the first being a hard-won shut down of the notorious LockBit infrastructure, and the second, a rare glimpse into the inner workings of China’s cyber espionage operations.

LockBit has long plagued victims across several critical industries, costing $91 million in losses within the U.S. alone since 2020. In a collaborative effort involving law enforcement from 11 countries and Europol, Operation Cronos dealt a significant blow to the ransomware gang.

Source: NCA

Authorities were able to seize multiple darknet domains operated by the gang, disrupting the primary infrastructure that enabled their Ransomware-as-a-Service (RaaS) model. The joint operation also resulted in the arrest of two LockBit operators, the freezing of over 200 cryptocurrency accounts associated with the group, and the development of a LockBit 3.0 Black decryptor tool available for free. The U.S. State Department is also offering up to $15 million in rewards for information leading to the apprehension of key LockBit leaders, group associates, or ransomware affiliates.

In other news, cyber defenders are getting a unique peek into China’s state-sanctioned cyber espionage efforts, which has fostered a competitive marketplace of independent contractor hackers-for-hire over the years. I-Soon, a PRC-contracted company, suffered a data leak where thousands of client-employee messages and dozens of marketing materials were published anonymously on GitHub. While details surrounding the origin and authenticity of the leaked content are ongoing, the event offers much insight into Chinese offensive operations and gives defenders an opportunity to improve their cyber defenses and better understand mature operators within the greater cyber threat domain.

The Bad | Critical ConnectWise ScreenConnect RCE Bugs Exploited in the Wild

Warnings abound this week for ConnectWise customers regarding two critical severity remote code execution (RCE) flaws within ScreenConnect. Tracked as CVE-2024-1708 and CVE-2024-1709, the flaws stem from an authentication bypass weakness in the popular remote monitoring and management (RMM) software, allowing unauthorized access or arbitrary code execution.

It seems that attackers have wasted no time. Just a day after the initial disclosure and with technical details and proof-of-concepts circulating online, both vulnerabilities are confirmed to be under active exploitation. In the case of CVE-2024-1709, an attacker can send specially crafted requests within affected versions to trigger the setup wizard, even when the software is already set up, before creating a new administrator account to take control of the ScreenConnect instance.

Leveraging the path traversal flaw, CVE-2024-1708, an attacker can access or modify files outside of the intended restricted directory. If exploited in tandem, use of both flaws enable attackers to access and manipulate sensitive files and, subsequently, upload their malicious payload outside of the ScreenConnect subdirectory. In the wake of the active exploits, ConnectWise has removed all license restrictions and continues to urge users to update on-premise servers to version 23.9.8 at minimum.

Recent advisories from CISA, NSA, and MS-ISAC highlight the increasing misuse of legitimate RMM software like ScreenConnect for malicious purposes. RMM applications can be used as backdoors for persistence or command and control (C2). Network defenders are reminded to regularly audit remote access tools for abnormal use, patch on time, and put proactive security measures in place to detect intrusions and potential breaches.

The Ugly | German Elections Under Threat by Russian-Linked Influence Operations

SentinelLabs and ClearSky Cyber Security this week unveiled a substantial propaganda and disinformation campaign believed to be orchestrated by a Russia-aligned influence operation network dubbed Doppelgänger. Initiated in late November 2023, the campaign initially targeted Ukrainian affairs but has since expanded its reach to audiences in the United States, Israel, France, and Germany.

Findings from both SentinelLabs and ClearSky expand on Doppelgänger’s rising efforts in spreading disinformation. Most recently, the network’s activities currently focus on employing propaganda and disinformation tactics to influence public opinion, particularly regarding socio-economic and geopolitical matters relevant to targeted German audiences.

Doppelgänger’s latest campaign concentrates on criticizing the ruling government coalition’s support for Ukraine, potentially with the aim of influencing public sentiment ahead of imminent elections. This discovery correlates with latest reports from the German Ministry of Foreign Affairs and Der Spiegel media outlet, which have also raised alarms about potential election interference within Germany.

Doppelgänger’s modus operandi involves an extensive network of social media accounts, primarily on X (formerly Twitter). Network operators also engage in coordinated activities to amplify their messages through a sophisticated infrastructure, including a network of websites hosting propaganda articles designed to mimic legitimate news outlets, coupled with evasion tactics.

Anti-government statements in a health-themed article (emphasis added)
Anti-government statements in a health-themed article (emphasis added)

With major elections on the horizon across the EU and the United States, the persistence and evolving nature of Doppelgänger’s campaign speak to more cases of information warfare to come. As threat actors continue to exploit media and trending geopolitical and socio-economic current events, a combination of public awareness campaigns, social media literacy programs, and effective social media security policies will be much needed to minimize the threat of propaganda and disinformation online.

New Leak Shows Business Side of China’s APT Menace

A new data leak that appears to have come from one of China’s top private cybersecurity firms provides a rare glimpse into the commercial side of China’s many state-sponsored hacking groups. Experts say the leak illustrates how Chinese government agencies increasingly are contracting out foreign espionage campaigns to the nation’s burgeoning and highly competitive cybersecurity industry.

A marketing slide deck promoting i-SOON’s Advanced Persistent Threat (APT) capabilities.

A large cache of more than 500 documents published to GitHub last week indicate the records come from i-SOON, a technology company headquartered in Shanghai that is perhaps best known for providing cybersecurity training courses throughout China. But the leaked documents, which include candid employee chat conversations and images, show a less public side of i-SOON, one that frequently initiates and sustains cyberespionage campaigns commissioned by various Chinese government agencies.

The leaked documents suggest i-SOON employees were responsible for a raft of cyber intrusions over many years, infiltrating government systems in the United Kingdom and countries throughout Asia. Although the cache does not include raw data stolen from cyber espionage targets, it features numerous documents listing the level of access gained and the types of data exposed in each intrusion.

Security experts who reviewed the leaked data say they believe the information is legitimate, and that i-SOON works closely with China’s Ministry of Public Security and the military. In 2021, the Sichuan provincial government named i-SOON as one of “the top 30 information security companies.”

“The leak provides some of the most concrete details seen publicly to date, revealing the maturing nature of China’s cyber espionage ecosystem,” said Dakota Cary, a China-focused consultant at the security firm SentinelOne. “It shows explicitly how government targeting requirements drive a competitive marketplace of independent contractor hackers-for-hire.”

Mei Danowski is a former intelligence analyst and China expert who now writes about her research in a Substack publication called Natto Thoughts. Danowski said i-SOON has achieved the highest secrecy classification that a non-state-owned company can receive, which qualifies the company to conduct classified research and development related to state security.

i-SOON’s “business services” webpage states that the company’s offerings include public security, anti-fraud, blockchain forensics, enterprise security solutions, and training. Danowski said that in 2013, i-SOON established a department for research on developing new APT network penetration methods.

APT stands for Advanced Persistent Threat, a term that generally refers to state-sponsored hacking groups. Indeed, among the documents apparently leaked from i-SOON is a sales pitch slide boldly highlighting the hacking prowess of the company’s “APT research team” (see screenshot above).

i-SOON CEO Wu Haibo, in 2011. Image: nattothoughts.substack.com.

The leaked documents included a lengthy chat conversation between the company’s founders, who repeatedly discuss flagging sales and the need to secure more employees and government contracts. Danowski said the CEO of i-SOON, Wu Haibo (“Shutdown” in the leaked chats) is a well-known first-generation red hacker or “Honker,” and an early member of Green Army — the very first Chinese hacktivist group founded in 1997. Mr. Haibo has not yet responded to a request for comment.

In October 2023, Danowski detailed how i-SOON became embroiled in a software development contract dispute when it was sued by a competing Chinese cybersecurity company called Chengdu 404. In September 2021, the U.S. Department of Justice unsealed indictments against multiple Chengdu 404 employees, charging that the company was a facade that hid more than a decade’s worth of cyber intrusions attributed to a threat actor group known as “APT 41.”

Danowski said the existence of this legal dispute suggests that Chengdu 404 and i-SOON have or at one time had a business relationship, and that one company likely served as a subcontractor to the other.

“From what they chat about we can see this is a very competitive industry, where companies in this space are constantly poaching each others’ employees and tools,” Danowski said. “The infosec industry is always trying to distinguish [the work] of one APT group from another. But that’s getting harder to do.”

It remains unclear if i-SOON’s work has earned it a unique APT designation. But Will Thomas, a cyber threat intelligence researcher at Equinix, found an Internet address in the leaked data that corresponds to a domain flagged in a 2019 Citizen Lab report about one-click mobile phone exploits that were being used to target groups in Tibet. The 2019 report referred to the threat actor behind those attacks as an APT group called Poison Carp.

Several images and chat records in the data leak suggest i-SOON’s clients periodically gave the company a list of targets they wanted to infiltrate, but sometimes employees confused the instructions. One screenshot shows a conversation in which an employee tells his boss they’ve just hacked one of the universities on their latest list, only to be told that the victim in question was not actually listed as a desired target.

The leaked chats show i-SOON continuously tried to recruit new talent by hosting a series of hacking competitions across China. It also performed charity work, and sought to engage employees and sustain morale with various team-building events.

However, the chats include multiple conversations between employees commiserating over long hours and low pay. The overall tone of the discussions indicates employee morale was quite low and that the workplace environment was fairly toxic. In several of the conversations, i-SOON employees openly discuss with their bosses how much money they just lost gambling online with their mobile phones while at work.

Danowski believes the i-SOON data was probably leaked by one of those disgruntled employees.

“This was released the first working day after the Chinese New Year,” Danowski said. “Definitely whoever did this planned it, because you can’t get all this information all at once.”

SentinelOne’s Cary said he came to the same conclusion, noting that the Protonmail account tied to the GitHub profile that published the records was registered a month before the leak, on January 15, 2024.

China’s much vaunted Great Firewall not only lets the government control and limit what citizens can access online, but this distributed spying apparatus allows authorities to block data on Chinese citizens and companies from ever leaving the country.

As a result, China enjoys a remarkable information asymmetry vis-a-vis virtually all other industrialized nations. Which is why this apparent data leak from i-SOON is such a rare find for Western security researchers.

“I was so excited to see this,” Cary said. “Every day I hope for data leaks coming out of China.”

That information asymmetry is at the heart of the Chinese government’s cyberwarfare goals, according to a 2023 analysis by Margin Research performed on behalf of the Defense Advanced Research Projects Agency (DARPA).

“In the area of cyberwarfare, the western governments see cyberspace as a ‘fifth domain’ of warfare,” the Margin study observed. “The Chinese, however, look at cyberspace in the broader context of information space. The ultimate objective is, not ‘control’ of cyberspace, but control of information, a vision that dominates China’s cyber operations.”

The National Cybersecurity Strategy issued by the White House last year singles out China as the biggest cyber threat to U.S. interests. While the United States government does contract certain aspects of its cyber operations to companies in the private sector, it does not follow China’s example in promoting the wholesale theft of state and corporate secrets for the commercial benefit of its own private industries.

Dave Aitel, a co-author of the Margin Research report and former computer scientist at the U.S. National Security Agency, said it’s nice to see that Chinese cybersecurity firms have to deal with all of the same contracting headaches facing U.S. companies seeking work with the federal government.

“This leak just shows there’s layers of contractors all the way down,” Aitel said. “It’s pretty fun to see the Chinese version of it.”

Feds Seize LockBit Ransomware Websites, Offer Decryption Tools, Troll Affiliates

U.S. and U.K. authorities have seized the darknet websites run by LockBit, a prolific and destructive ransomware group that has claimed more than 2,000 victims worldwide and extorted over $120 million in payments. Instead of listing data stolen from ransomware victims who didn’t pay, LockBit’s victim shaming website now offers free recovery tools, as well as news about arrests and criminal charges involving LockBit affiliates.

Investigators used the existing design on LockBit’s victim shaming website to feature press releases and free decryption tools.

Dubbed “Operation Cronos,” the law enforcement action involved the seizure of nearly three-dozen servers; the arrest of two alleged LockBit members; the unsealing of two indictments; the release of a free LockBit decryption tool; and the freezing of more than 200 cryptocurrency accounts thought to be tied to the gang’s activities.

LockBit members have executed attacks against thousands of victims in the United States and around the world, according to the U.S. Department of Justice (DOJ). First surfacing in September 2019, the gang is estimated to have made hundreds of millions of U.S. dollars in ransom demands, and extorted over $120 million in ransom payments.

LockBit operated as a ransomware-as-a-service group, wherein the ransomware gang takes care of everything from the bulletproof hosting and domains to the development and maintenance of the malware. Meanwhile, affiliates are solely responsible for finding new victims, and can reap 60 to 80 percent of any ransom amount ultimately paid to the group.

A statement on Operation Cronos from the European police agency Europol said the months-long infiltration resulted in the compromise of LockBit’s primary platform and other critical infrastructure, including the takedown of 34 servers in the Netherlands, Germany, Finland, France, Switzerland, Australia, the United States and the United Kingdom. Europol said two suspected LockBit actors were arrested in Poland and Ukraine, but no further information has been released about those detained.

The DOJ today unsealed indictments against two Russian men alleged to be active members of LockBit. The government says Russian national Artur Sungatov used LockBit ransomware against victims in manufacturing, logistics, insurance and other companies throughout the United States.

Ivan Gennadievich Kondratyev, a.k.a. “Bassterlord,” allegedly deployed LockBit against targets in the United States, Singapore, Taiwan, and Lebanon. Kondratyev is also charged (PDF) with three criminal counts arising from his alleged use of the Sodinokibi (aka “REvil“) ransomware variant to encrypt data, exfiltrate victim information, and extort a ransom payment from a corporate victim based in Alameda County, California.

With the indictments of Sungatov and Kondratyev, a total of five LockBit affiliates now have been officially charged. In May 2023, U.S. authorities unsealed indictments against two alleged LockBit affiliates, Mikhail “Wazawaka” Matveev and Mikhail Vasiliev.

Vasiliev, 35, of Bradford, Ontario, Canada, is in custody in Canada awaiting extradition to the United States (the complaint against Vasiliev is at this PDF). Matveev remains at large, presumably still in Russia. In January 2022, KrebsOnSecurity published Who is the Network Access Broker ‘Wazawaka,’ which followed clues from Wazawaka’s many pseudonyms and contact details on the Russian-language cybercrime forums back to a 31-year-old Mikhail Matveev from Abaza, RU.

An FBI wanted poster for Matveev.

In June 2023, Russian national Ruslan Magomedovich Astamirov was charged in New Jersey for his participation in the LockBit conspiracy, including the deployment of LockBit against victims in Florida, Japan, France, and Kenya. Astamirov is currently in custody in the United States awaiting trial.

LockBit was known to have recruited affiliates that worked with multiple ransomware groups simultaneously, and it’s unclear what impact this takedown may have on competing ransomware affiliate operations. The security firm ProDaft said on Twitter/X that the infiltration of LockBit by investigators provided “in-depth visibility into each affiliate’s structures, including ties with other notorious groups such as FIN7, Wizard Spider, and EvilCorp.”

In a lengthy thread about the LockBit takedown on the Russian-language cybercrime forum XSS, one of the gang’s leaders said the FBI and the U.K.’s National Crime Agency (NCA) had infiltrated its servers using a known vulnerability in PHP, a scripting language that is widely used in Web development.

Several denizens of XSS wondered aloud why the PHP flaw was not flagged by LockBit’s vaunted “Bug Bounty” program, which promised a financial reward to affiliates who could find and quietly report any security vulnerabilities threatening to undermine LockBit’s online infrastructure.

This prompted several XSS members to start posting memes taunting the group about the security failure.

“Does it mean that the FBI provided a pentesting service to the affiliate program?,” one denizen quipped. “Or did they decide to take part in the bug bounty program? :):)”

Federal investigators also appear to be trolling LockBit members with their seizure notices. LockBit’s data leak site previously featured a countdown timer for each victim organization listed, indicating the time remaining for the victim to pay a ransom demand before their stolen files would be published online. Now, the top entry on the shaming site is a countdown timer until the public doxing of “LockBitSupp,” the unofficial spokesperson or figurehead for the LockBit gang.

“Who is LockbitSupp?” the teaser reads. “The $10m question.”

In January 2024, LockBitSupp told XSS forum members he was disappointed the FBI hadn’t offered a reward for his doxing and/or arrest, and that in response he was placing a bounty on his own head — offering $10 million to anyone who could discover his real name.

“My god, who needs me?,” LockBitSupp wrote on Jan. 22, 2024. “There is not even a reward out for me on the FBI website. By the way, I want to use this chance to increase the reward amount for a person who can tell me my full name from USD 1 million to USD 10 million. The person who will find out my name, tell it to me and explain how they were able to find it out will get USD 10 million. Please take note that when looking for criminals, the FBI uses unclear wording offering a reward of UP TO USD 10 million; this means that the FBI can pay you USD 100, because technically, it’s an amount UP TO 10 million. On the other hand, I am willing to pay USD 10 million, no more and no less.”

Mark Stockley, cybersecurity evangelist at the security firm Malwarebytes, said the NCA is obviously trolling the LockBit group and LockBitSupp.

“I don’t think this is an accident—this is how ransomware groups talk to each other,” Stockley said. “This is law enforcement taking the time to enjoy its moment, and humiliate LockBit in its own vernacular, presumably so it loses face.”

In a press conference today, the FBI said Operation Cronos included investigative assistance from the Gendarmerie-C3N in France; the State Criminal Police Office L-K-A and Federal Criminal Police Office in Germany; Fedpol and Zurich Cantonal Police in Switzerland; the National Police Agency in Japan; the Australian Federal Police; the Swedish Police Authority; the National Bureau of Investigation in Finland; the Royal Canadian Mounted Police; and the National Police in the Netherlands.

The Justice Department said victims targeted by LockBit should contact the FBI at https://lockbitvictims.ic3.gov/ to determine whether affected systems can be successfully decrypted. In addition, the Japanese Police, supported by Europol, have released a recovery tool designed to recover files encrypted by the LockBit 3.0 Black Ransomware.

The Good, the Bad and the Ugly in Cybersecurity – Week 7

The Good | Back-to-Back FBI Ops Disrupt Major RAT Infrastructure & GRU Spy Network

This week counted two wins for the FBI in the fight against malicious activities orchestrated by cybercriminals and state-sponsored hackers.

First, the Bureau dismantled an extensive cybercrime operation revolving around the Warzone remote access trojan (RAT). Daniel Meli, a 27-year-old Maltese resident linked to the operation, was arrested for his role in spreading the malware. Warzone RAT was first created in 2018 and is often seen in attacks involving hidden remote desktops, keylogging, reverse proxies, remote shells, UAC bypassing, as well as cookie and password theft.

Meli’s arrest and the seizure of Warzone RAT’s primary website warzone[.ws] is the result of transnational cooperation between Maltese authorities and the U.S. DoJ. He faces 15 years in prison under the charges of unauthorized damage to protected computers, the illegal sale and advertisement of electronic interception devices, and conspiring to commit various computer intrusion offenses.

Warzone RAT website seizure

Just days later, the FBI announced the success of Operation Dying Ember, a court-ordered effort that took down a botnet comprising Ubiquiti Edge OS routers infected with Moobot malware. The malware was reportedly operated by Russia’s Main Intelligence Directorate of the General Staff (GRU), also tracked as APT28 or Fancy Bear.

The GRU’s use of pre-existing malware like Moobot speaks to blurred lines between cybercriminal and state-sponsored tactics, challenging traditional threat detection methods. In this case, the GRU hackers had leveraged the malware and effectively repurposed the botnet to deploy their own custom cyber espionage tool. FBI agents have since countered the hackers by using Moobot to delete stolen data, malicious files, and the malware itself before blocking remote access that would have allowed GRU operations to reinfect the routers.

The Bad | RansomHouse Attackers Launch New Tool to Automate VMware ESXI Attacks

RansomHouse has recently introduced a new tool called ‘MrAgent’, designed to automate the deployment of its data encrypter across multiple VMware ESXi hypervisors. The ransomware-as-a-service (RaaS) operators have been known to target large organizations and high-value victims since its inception in March of 2022. ESXi servers are a prime target for ransomware groups due to their role in hosting virtual computers that often hold valuable data and critical business applications, amplifying the impact of attack.

Based on latest research reports, MrAgent streamlines RansomHouse’s attacks on ESXi systems by identifying host systems, disabling firewalls, and automating ransomware deployment across multiple hypervisors simultaneously. This tool supports custom configurations received from the command-and-control (C2) server, allowing for tailored ransomware deployment and execution of local commands on the hypervisor. It works by minimizing the chances of detection while targeting all reachable virtual machines (VMs) at once to increase the impact of the attack campaign.

Threat actors will continue to focus on automating their tactics to conduct faster, more effective campaigns. For example, SentinelLabs this week identified threat actors moving workloads previously handled by traditional web servers to the cloud in order to bulk send SMS messages through SNS Sender, a Python script that uses AWS Simple Notification Service (SNS) for the purpose of spamming phishing links.

For threat actors, automation enables them to scale their operations and rapidly deploy attacks. This helps maximize their chances of success, streamline their time and resources, and maintain consistency across attack campaigns. By automating repetitive tasks, threat actors are also able to devote more time to developing sophisticated attack techniques and novel ways of evading detection.

The Ugly | Water Hydra APT Exploits Microsoft Zero-Day to Target Financial Traders

A zero-day vulnerability (CVE-2024-21412) that bypasses Microsoft Defender SmartScreen is under active exploitation by an advanced persistent threat (APT) actor called Water Hydra (aka DarkCasino). In a report this week, cybersecurity researchers revealed the threat actor’s tactics currently focused on leveraging the flaw to distribute the DarkMe malware.

CVE-2024-21412 revolves around the processing of Internet Shortcut Files (.url) and a technology called ‘Mark of the Web’ (MOTW). Applications that download files from the internet are supposed to tag them with the MOTW attribute to indicate their origin. When these files are executed, the presence of the MOTW attribute tells Windows Defender SmartScreen to alert users if the file is potentially malicious or to take other security measures. Water Hydra attackers discovered that the MOTW attribute is not attached to a file when it is executed through a series of shortlinks, and thus the file bypasses examination by Windows Defender SmartScreen.

The attack campaign currently targets financial market traders by spreading malicious internet shortcut files via forex trading forums and Telegram channels. Using social engineering tactics, Water Hydra tricks victims into executing the malware, which comes equipped with capabilities for further exploitation and data exfiltration. The attackers then deliver DarkMe malware, a Visual Basic trojan, which downloads and executes additional instructions after registering with a command-and-control (C2) server. DarkMe enables Water Hydra attackers to create and delete folders, execute shell commands, and enumerate folder content.

In a previous attack campaign, Water Hydra exploited CVE-2023-38831, another high-severity vulnerability (CVSS score: 7.8) in the WinRAR software, to install malware and breach online cryptocurrency trading accounts.

These campaigns underscore Water Hydra’s adeptness at discovering and exploiting zero-day vulnerabilities and emphasizes the fact that a tight relationship between security software and the OS vendor is a weak point that threat actors continue to exploit.