February 2024 Cybercrime Update | Commercial Spyware, AI-Driven APTs & Flawed RMMs

/0 Comments/in /by

February saw the U.S. government take significant actions against cybercrime, continuing the current administration’s policy of using all the resources of the state to tackle the problem head on. Nation-state actors, meanwhile, have taken to leveraging AI to enhance their operations and attacks.

In this month’s update, we also highlight a crop of CVEs in remote management and monitoring (RMM) tools that threat actors are exploiting in the wild, and as always we have the latest in ransomware updates.

Ransomware Reporting and Underreporting

February 2024 has seen several impactful ransomware attacks reported, including:

Actor Targeted Industry
LockBit Medical
BackMyData Medical
Black Basta Automotive
Cactus Manufacturing

Concerns remain, however, that many ransomware incidents are unreported. Particularly in cases where an organization is experiencing its first cybercrime incident, there may be a tendency to believe that disclosing the breach may be more damaging than paying the attackers.

For any organization feeling that pressure, it is worth reviewing advice from the NCSC about why transparency matters to victims. It is also worth reviewing Google’s journey from victim to major contributor to cyber safety: the formation of its Project Zero initiative and Threat Analysis Group were direct consequences of its experience of a cyber attack from a Chinese APT.

In a statement on January 31st, CISA Director Jan Easterly told a House Select Committee that “Every victim of a cyber incident should report it to CISA or FBI, every time, recognizing that a threat to one is a threat to many, because cybersecurity is national security”. Easterly stressed, and we couldn’t agree more, that business leaders must treat cyber risks as core business risks and recognize that “managing them is a matter of both good governance and fundamental national security”.

Software Products Under Active Exploitation

Improving the design of software products such that exploitable flaws become “a shocking anomaly” was also part of Easterly’s vision for a safer cyber future.

February saw a trend in attacks leveraging enterprise tools for remote, authenticated access, aka RMMs (Remote Monitoring and Management). Both APT groups and ‘lower tier’ crimeware actors continue to exploit vulnerabilities in Ivanti’s Connect Secure and Policy Secure products.

ConnectWise’s ScreenConnect has also been targeted for mass exploitation thanks to multiple RCE flaws that are trivial to exploit. In addition, alarm was raised this month after a response to a breach at AnyDesk found evidence of compromised production systems.

CVEs and updates that organizations are prioritizing include:

Ivanti Connect Secure CVE-2024-21893
ConnectWise ScreenConnect CVE-2024-1708
ConnectWise ScreenConnect CVE-2024-1709
AnyDesk Recommended update to 7.0.15 and 8.0.8

Emerging Trends and Tactics

AI continues to push the boundaries of cybersecurity for both attackers and defenders. On top of LLM chat assistants and natural language image generators comes Sora, the first generative AI model that can create realistic video – currently up to 60 seconds – from text prompts. According to OpenAI, “Sora is capable of generating entire videos all at once or extending generated videos to make them longer.”

The potential for deep fakes in an election year is one obvious area of concern, but the wider implications of a text-to-video service are perhaps even greater. OpenAI says it is building tools to help detect misleading content as well as reject prompts that violate usage policies, but based on the rapid proliferation of ‘evil ChatGPTs’ (see WormGPT, DarkGPT, and Predator AI for examples) that may be no more than a sticking plaster solution. Sora is still in beta but is currently available to red teamers to help assess the potential risks such a service could cause.

February also saw OpenAI, in conjunction with Microsoft, report on the malicious use of AI by state-affiliated threat actors. Groups associated with four different nations were discovered to be trying to leverage OpenAI for harmful purpose:

China  Charcoal Typhoon / Salmon Typhoon
Iran Crimson Sandstorm
North Korea Emerald Sleet
Russia Forest Blizzard

The use of AI by threat actors largely revolves around improving productivity and automating existing tasks that are labor intensive, such as generating social engineering content. To date, it has not been used to produce novel attacks. However, we are still very much in the early stages of understanding the capabilities of this new technology.

The fact that it is already being leveraged by both state-sponsored actors and financially-motivated cybercriminals emphasizes the need for defenders to keep pace with AI’s evolution.

We encourage defenders to review SentinelOne’s recommendations for Safe, Secure, and Trustworthy AI. For specific TTPs related to artificial intelligence systems, see the new MITRE ATLAS™ (Adversarial Threat Landscape for Artificial-Intelligence Systems) framework.

Law Enforcement & Policy | Significant Actions

The U.S government in February announced a Visa Restriction policy for individuals involved in the misuse of commercial spyware. The policy covers not only the use of spyware, but also anyone “believed to facilitate or derive financial benefit from the misuse of commercial spyware” and “developing, directing, or operationally controlling companies that furnish technologies such as commercial spyware”.

The move reflects mounting concerns about the rise of private sector offensive actors (aka hack-for-hire groups) and the safety of mobile devices.

Coordinated action by U.S. and U.K. law enforcement to disrupt LockBit operations generated plenty of headlines in the third week of February, but early signs are that the group is not down and out yet. On February 24, 2024, LockBit released a series of statements concerning the disruption.

The group claimed the FBI was unable to compromise all of their infrastructure, allowing the group to reestablish and maintain primary operations. The statements included functional links to a blog site and data portals to support their claims that the ransomware operator was still in business.

LockBit’s disruption may yet turn out to be temporary, following the trend set by direct actions against Hive, ALPHV and others.

lockbit fbi response
Excerpt of LockBit’s February 24, 2024 ‘Statement’

In further signs of an escalating, policy-driven offensive to tackle cybercrime, the United States Department of State has offered a ten million dollar bounty for information relating to Hive ransomware operators and co-conspirators. On February 9th, the U.S. Department of Justice disclosed the dismantling of Warzone RAT, the seizure of supporting data and infrastructure, and the filing of charges against key players tied to the operation.

Conclusion

Coordinated action by the U.S. and other governments is certainly having an impact on cybercriminals’ operations, but there are still more threat actors out there that we can count, and there’s a long way to go in this battle to capture, thwart and discourage digital attackers.

February’s quick takeaway for busy readers: patch before a breach occurs, and report it when it does.

To learn about how SentinelOne can help protect your organization, contact us or request a free demo.

PinnacleOne ExecBrief | China’s Hacking Ecosystem

/0 Comments/in /by

Last week, PinnacleOne collaborated with SentinelLabs to unpack the leak of internal files from a firm (I-Soon) that contracts with Chinese government security agencies to hack global targets.

In this ExecBrief, we examine how I-Soon (上海安洵) fits into the larger Chinese hacking ecosystem and highlight key implications for business leaders.

Please subscribe to read future issues— and forward this newsletter to your colleagues to get them to sign up as well.

Feel free to contact us directly with any comments or questions: pinnacleone-info@sentinelone.com

Insight Focus: China’s Hacking Ecosystem

The leak of I-Soon’s internal files provided security researchers concrete details revealing the maturing nature of China’s cyber espionage ecosystem. The files–including chat logs between hackers offering pilfered data and complaining about poor compensation–showed explicitly how government targeting requirements drive a competitive marketplace of independent contractor hackers-for-hire. [PinnacleOne’s own Dakota Cary was in demand last week, quoted for comment in the FT, CNN, BBC, AP, Bloomberg, NBC News, NPR, Newsweek, The Record, Cyberscoop, KrebsonSecurity, DarkReading, and more.]

This company is one of many that contract with government agencies, including the Ministry of Public Security, Ministry of State Security, and People’s Liberation Army. As China’s appetite for foreign data and ambitions to become a global cyber power have grown, so has this burgeoning private industry of hackers-for-hire and an associated market for a torrent of stolen information.

What The I-Soon Leaks Show

Some of the leaks show how private operators sometimes independently–and perhaps opportunistically–exploit foreign targets, seeking a government buyer only after the data has been acquired. The chat logs from I-Soon employees demonstrate how the company, in need of cash to pad its books, conducted independent operations on the expectation (or hope) that a government customer would buy their wares. In the case presented by the chat logs, no buyer apparently materialized and such operations were the exception, not the rule. Many of the apparent victims could be tied directly to government agencies soliciting their penetration by I-Soon.

Some media outlets are overemphasizing this “entrepreneurial” data theft and sale as the overarching condition of China’s hack-for-hire market. These outlets are wrong. It is important not to over interpret the findings from this one company’s activities.

What Really Drives PRC Cyber Targeting

It remains the case that China’s national security, geopolitical, and economic objectives drive a strong set of demand signals that shape its public and private cyber operations against western targets across the full spectrum of technology and industry sectors.

Some sectors are targeted for intellectual property, scientific information, or competitive intelligence, while others fall into the military bullseye for strategic prepositioning in advance of conflict scenarios. Of course, a large effort is also devoted to domestic and overseas political monitoring, control, and repression. We see private actors like I-Soon responding with cyber solutions to meet all of these demand signals.

How PRC Political Demands Translate into Targeting Requirements

China’s approach to cyberespionage incorporates broad swaths of the party-state apparatus and translates into both legal and covert activities to meet politically-defined technology targeting requirements (see graphic below).

The top-level policy document that sets the strategic demand signal is the National People’s Congress Five-Year Plan, which establishes strategic goals by sector, against which individual government ministries release their own detailed Five-Year Plans. Different industries, academic institutions, state-owned enterprises (SOEs), and provincial and municipal governments interpret these plans and operationalize them according to their own, wildly diverse, policy processes.

The two most important ministries for technology development (and cyberespionage targeting requirements) are the Ministry of Science and Technology (MOST) and the Ministry of Industry and Information Technology (MIIT). These ministries oversee an archipelago of research institutes and academic institutions and interact with the foreign affairs and security departments to support their efforts.

In particular, a cadre of Science and Technology Diplomats is deployed overseas to help identify and target technologies and industries of interest, while domestic academic institutions coordinate with S&T Conversion Centers to support technology transfer and indigenization activities. Meanwhile, private industry and SOEs conducting their own research efforts request assistance from MOST/MIIT and insert their own technology requirements to help shape government funding and targeting priorities.

At this level, legal means like joint venture agreements, acquisitions, and talent poaching are preferred, even if conducted with subterfuge or obfuscation via third party cut-outs. However, government research institutes, the “Seven Sons” of national defense universities, and military SOEs typically prefer illicit means. These consumers may utilize the PLA’s own hacking units or request the Ministry of State of Security (MSS) for support.

This complex web of activities generates a massive, continuous flow of internal scientific, technical, and industrial targeting requirements that drive licit and illicit technology transfer and IP theft activities. Companies like I-Soon represent the tip of the iceberg.

What This Means for Business Executives

China has a whole-of-government effort to capture market share in strategic industries, “seize the commanding heights” of emerging critical technologies, and reduce its external dependencies on adversaries while increasing adversary dependencies on China.

This is all in service of a grand strategy to climb and dominate global value chains, expand geoeconomic influence, and rewrite the economic and security architecture of the world system.

As a result, the set of sectors and firms that find themselves in the geopolitical and cyberespionage bullseye will continue to grow, as will the intensity of the offensive operations targeted against them.

As the I-Soon leaks demonstrate, it isn’t just well-resourced state-actors that firms have to contend with. The fact that underpaid, moderately skilled independent hackers can achieve as much success as the I-Soon files show should be a loud wake-up call to global executives about the resilience of their security posture.

FBI’s LockBit Takedown Postponed a Ticking Time Bomb in Fulton County, Ga.

/0 Comments/in /by

The FBI’s takedown of the LockBit ransomware group last week came as LockBit was preparing to release sensitive data stolen from government computer systems in Fulton County, Ga. But LockBit is now regrouping, and the gang says it will publish the stolen Fulton County data on March 2 unless paid a ransom. LockBit claims the cache includes documents tied to the county’s ongoing criminal prosecution of former President Trump, but court watchers say teaser documents published by the crime gang suggest a total leak of the Fulton County data could put lives at risk and jeopardize a number of other criminal trials.

A new LockBit website listing a countdown timer until the promised release of data stolen from Fulton County, Ga.

In early February, Fulton County leaders acknowledged they were responding to an intrusion that caused disruptions for its phone, email and billing systems, as well as a range of county services, including court systems.

On Feb. 13, the LockBit ransomware group posted on its victim shaming blog a new entry for Fulton County, featuring a countdown timer saying the group would publish the data on Feb. 16 unless county leaders agreed to negotiate a ransom.

“We will demonstrate how local structures negligently handled information protection,” LockBit warned. “We will reveal lists of individuals responsible for confidentiality. Documents marked as confidential will be made publicly available. We will show documents related to access to the state citizens’ personal data. We aim to give maximum publicity to this situation; the documents will be of interest to many. Conscientious residents will bring order.”

Yet on Feb. 16, the entry for Fulton County was removed from LockBit’s site without explanation. This usually only happens after the victim in question agrees to pay a ransom demand and/or enters into negotiations with their extortionists.

However, Fulton County Commission Chairman Robb Pitts said the board decided it “could not in good conscience use Fulton County taxpayer funds to make a payment.”

“We did not pay nor did anyone pay on our behalf,” Pitts said at an incident briefing on Feb. 20.

Just hours before that press conference, LockBit’s various websites were seized by the FBI and the U.K.’s National Crime Agency (NCA), which replaced the ransomware group’s homepage with a seizure notice and used the existing design of LockBit’s victim shaming blog to publish press releases about the law enforcement action.

The feds used the existing design on LockBit’s victim shaming website to feature press releases and free decryption tools.

Dubbed “Operation Cronos,” the effort involved the seizure of nearly three-dozen servers; the arrest of two alleged LockBit members; the release of a free LockBit decryption tool; and the freezing of more than 200 cryptocurrency accounts thought to be tied to the gang’s activities. The government says LockBit has claimed more than 2,000 victims worldwide and extorted over $120 million in payments.

UNFOLDING DISASTER

In a lengthy, rambling letter published on Feb. 24 and addressed to the FBI, the ransomware group’s leader LockBitSupp announced that their victim shaming websites were once again operational on the dark web, with fresh countdown timers for Fulton County and a half-dozen other recent victims.

“The FBI decided to hack now for one reason only, because they didn’t want to leak information fultoncountyga.gov,” LockBitSupp wrote. “The stolen documents contain a lot of interesting things and Donald Trump’s court cases that could affect the upcoming US election.”

A screen shot released by LockBit showing various Fulton County file shares that were exposed.

LockBit has already released roughly two dozen files allegedly stolen from Fulton County government systems, although none of them involve Mr. Trump’s criminal trial. But the documents do appear to include court records that are sealed and shielded from public viewing.

George Chidi writes The Atlanta Objective, a Substack publication on crime in Georgia’s capital city. Chidi says the leaked data so far includes a sealed record related to a child abuse case, and a sealed motion in the murder trial of Juwuan Gaston demanding the state turn over confidential informant identities.

Chidi cites reports from a Fulton County employee who said the confidential material includes the identities of jurors serving on the trial of the rapper Jeffery “Young Thug” Williams, who is charged along with five other defendants in a racketeering and gang conspiracy.

“The screenshots suggest that hackers will be able to give any attorney defending a criminal case in the county a starting place to argue that evidence has been tainted or witnesses intimidated, and that the release of confidential information has compromised cases,” Chidi wrote. “Judge Ural Glanville has, I am told by staff, been working feverishly behind the scenes over the last two weeks to manage the unfolding disaster.”

LockBitSupp also denied assertions made by the U.K.’s NCA that LockBit did not delete stolen data as promised when victims agreed to pay a ransom. The accusation is an explosive one because nobody will pay a ransom if they don’t believe the ransomware group will hold up its end of the bargain.

The ransomware group leader also confirmed information first reported here last week, that federal investigators managed to hack LockBit by exploiting a known vulnerability in PHP, a scripting language that is widely used in Web development.

“Due to my personal negligence and irresponsibility I relaxed and did not update PHP in time,” LockBitSupp wrote. “As a result of which access was gained to the two main servers where this version of PHP was installed.”

LockBitSupp’s FBI letter said the group kept copies of its stolen victim data on servers that did not use PHP, and that consequently it was able to retain copies of files stolen from victims. The letter also listed links to multiple new instances of LockBit dark net websites, including the leak page listing Fulton County’s new countdown timer.

LockBit’s new data leak site promises to release stolen Fulton County data on March 2, 2024, unless paid a ransom demand.

“Even after the FBI hack, the stolen data will be published on the blog, there is no chance of destroying the stolen data without payment,” LockBitSupp wrote. “All FBI actions are aimed at destroying the reputation of my affiliate program, my demoralization, they want me to leave and quit my job, they want to scare me because they can not find and eliminate me, I can not be stopped, you can not even hope, as long as I am alive I will continue to do pentest with postpaid.”

DOX DODGING

In January 2024, LockBitSupp told XSS forum members he was disappointed the FBI hadn’t offered a reward for his doxing and/or arrest, and that in response he was placing a bounty on his own head — offering $10 million to anyone who could discover his real name.

After the NCA and FBI seized LockBit’s site, the group’s homepage was retrofitted with a blog entry titled, “Who is LockBitSupp? The $10M question.” The teaser made use of LockBit’s own countdown timer, and suggested the real identity of LockBitSupp would soon be revealed.

However, after the countdown timer expired the page was replaced with a taunting message from the feds, but it included no new information about LockBitSupp’s identity.

On Feb. 21, the U.S. Department of State announced rewards totaling up to $15 million for information leading to the arrest and/or conviction of anyone participating in LockBit ransomware attacks. The State Department said $10 million of that is for information on LockBit’s leaders, and up to $5 million is offered for information on affiliates.

In an interview with the malware-focused Twitter/X account Vx-Underground, LockBit staff asserted that authorities had arrested a couple of small-time players in their operation, and that investigators still do not know the real-life identities of the core LockBit members, or that of their leader.

“They assert the FBI / NCA UK / EUROPOL do not know their information,” Vx-Underground wrote. “They state they are willing to double the bounty of $10,000,000. They state they will place a $20,000,000 bounty of their own head if anyone can dox them.”

TROUBLE ON THE HOMEFRONT?

In the weeks leading up to the FBI/NCA takedown, LockBitSupp became embroiled in a number of high-profile personal and business disputes on the Russian cybercrime forums.

Earlier this year, someone used LockBit ransomware to infect the networks of AN-Security, a venerated 30-year-old security and technology company based in St. Petersburg, Russia. This violated the golden rule for cybercriminals based in Russia and former soviet nations that make up the Commonwealth of Independent States, which is that attacking your own citizens in those countries is the surest way to get arrested and prosecuted by local authorities.

LockBitSupp later claimed the attacker had used a publicly leaked, older version of LockBit to compromise systems at AN-Security, and said the attack was an attempt to smear their reputation by a rival ransomware group known as “Clop.” But the incident no doubt prompted closer inspection of LockBitSupp’s activities by Russian authorities.

Then in early February, the administrator of the Russian-language cybercrime forum XSS said LockBitSupp had threatened to have him killed after the ransomware group leader was banned by the community. LockBitSupp was excommunicated from XSS after he refused to pay an arbitration amount ordered by the forum administrator. That dispute related to a complaint from another forum member who said LockBitSupp recently stiffed him on his promised share of an unusually large ransomware payout.

A posted by the XSS administrator saying LockBitSupp wanted him dead.

INTERVIEW WITH LOCKBITSUPP

KrebsOnSecurity sought comment from LockBitSupp at the ToX instant messenger ID listed in his letter to the FBI. LockBitSupp declined to elaborate on the unreleased documents from Fulton County, saying the files will be available for everyone to see in a few days.

LockBitSupp said his team was still negotiating with Fulton County when the FBI seized their servers, which is why the county has been granted a time extension. He also denied threatening to kill the XSS administrator.

“I have not threatened to kill the XSS administrator, he is blatantly lying, this is to cause self-pity and damage my reputation,” LockBitSupp told KrebsOnSecurity. “It is not necessary to kill him to punish him, there are more humane methods and he knows what they are.”

Asked why he was so certain the FBI doesn’t know his real-life identity, LockBitSupp was more precise.

“I’m not sure the FBI doesn’t know who I am,” he said. “I just believe they will never find me.”

It seems unlikely that the FBI’s seizure of LockBit’s infrastructure was somehow an effort to stave off the disclosure of Fulton County’s data, as LockBitSupp maintains. For one thing, Europol said the takedown was the result of a months-long infiltration of the ransomware group.

Also, in reporting on the attack’s disruption to the office of Fulton County District Attorney Fanny Willis on Feb. 14, CNN reported that by then the intrusion by LockBit had persisted for nearly two and a half weeks.

Finally, if the NCA and FBI really believed that LockBit never deleted victim data, they had to assume LockBit would still have at least one copy of all their stolen data hidden somewhere safe.

Fulton County is still trying to recover systems and restore services affected by the ransomware attack. “Fulton County continues to make substantial progress in restoring its systems following the recent ransomware incident resulting in service outages,” reads the latest statement from the county on Feb. 22. “Since the start of this incident, our team has been working tirelessly to bring services back up.”

The Good, the Bad and the Ugly in Cybersecurity – Week 8

/0 Comments/in /by

The Good | LockBit Ransomware Gang Locked Down & Chinese Cyber Espionage Ecosystem Exposed

The cybersecurity community saw two valuable developments this week, the first being a hard-won shut down of the notorious LockBit infrastructure, and the second, a rare glimpse into the inner workings of China’s cyber espionage operations.

LockBit has long plagued victims across several critical industries, costing $91 million in losses within the U.S. alone since 2020. In a collaborative effort involving law enforcement from 11 countries and Europol, Operation Cronos dealt a significant blow to the ransomware gang.

Source: NCA

Authorities were able to seize multiple darknet domains operated by the gang, disrupting the primary infrastructure that enabled their Ransomware-as-a-Service (RaaS) model. The joint operation also resulted in the arrest of two LockBit operators, the freezing of over 200 cryptocurrency accounts associated with the group, and the development of a LockBit 3.0 Black decryptor tool available for free. The U.S. State Department is also offering up to $15 million in rewards for information leading to the apprehension of key LockBit leaders, group associates, or ransomware affiliates.

In other news, cyber defenders are getting a unique peek into China’s state-sanctioned cyber espionage efforts, which has fostered a competitive marketplace of independent contractor hackers-for-hire over the years. I-Soon, a PRC-contracted company, suffered a data leak where thousands of client-employee messages and dozens of marketing materials were published anonymously on GitHub. While details surrounding the origin and authenticity of the leaked content are ongoing, the event offers much insight into Chinese offensive operations and gives defenders an opportunity to improve their cyber defenses and better understand mature operators within the greater cyber threat domain.

The Bad | Critical ConnectWise ScreenConnect RCE Bugs Exploited in the Wild

Warnings abound this week for ConnectWise customers regarding two critical severity remote code execution (RCE) flaws within ScreenConnect. Tracked as CVE-2024-1708 and CVE-2024-1709, the flaws stem from an authentication bypass weakness in the popular remote monitoring and management (RMM) software, allowing unauthorized access or arbitrary code execution.

It seems that attackers have wasted no time. Just a day after the initial disclosure and with technical details and proof-of-concepts circulating online, both vulnerabilities are confirmed to be under active exploitation. In the case of CVE-2024-1709, an attacker can send specially crafted requests within affected versions to trigger the setup wizard, even when the software is already set up, before creating a new administrator account to take control of the ScreenConnect instance.

Leveraging the path traversal flaw, CVE-2024-1708, an attacker can access or modify files outside of the intended restricted directory. If exploited in tandem, use of both flaws enable attackers to access and manipulate sensitive files and, subsequently, upload their malicious payload outside of the ScreenConnect subdirectory. In the wake of the active exploits, ConnectWise has removed all license restrictions and continues to urge users to update on-premise servers to version 23.9.8 at minimum.

Recent advisories from CISA, NSA, and MS-ISAC highlight the increasing misuse of legitimate RMM software like ScreenConnect for malicious purposes. RMM applications can be used as backdoors for persistence or command and control (C2). Network defenders are reminded to regularly audit remote access tools for abnormal use, patch on time, and put proactive security measures in place to detect intrusions and potential breaches.

The Ugly | German Elections Under Threat by Russian-Linked Influence Operations

SentinelLabs and ClearSky Cyber Security this week unveiled a substantial propaganda and disinformation campaign believed to be orchestrated by a Russia-aligned influence operation network dubbed Doppelgänger. Initiated in late November 2023, the campaign initially targeted Ukrainian affairs but has since expanded its reach to audiences in the United States, Israel, France, and Germany.

Findings from both SentinelLabs and ClearSky expand on Doppelgänger’s rising efforts in spreading disinformation. Most recently, the network’s activities currently focus on employing propaganda and disinformation tactics to influence public opinion, particularly regarding socio-economic and geopolitical matters relevant to targeted German audiences.

Doppelgänger’s latest campaign concentrates on criticizing the ruling government coalition’s support for Ukraine, potentially with the aim of influencing public sentiment ahead of imminent elections. This discovery correlates with latest reports from the German Ministry of Foreign Affairs and Der Spiegel media outlet, which have also raised alarms about potential election interference within Germany.

Doppelgänger’s modus operandi involves an extensive network of social media accounts, primarily on X (formerly Twitter). Network operators also engage in coordinated activities to amplify their messages through a sophisticated infrastructure, including a network of websites hosting propaganda articles designed to mimic legitimate news outlets, coupled with evasion tactics.

Anti-government statements in a health-themed article (emphasis added)
Anti-government statements in a health-themed article (emphasis added)

With major elections on the horizon across the EU and the United States, the persistence and evolving nature of Doppelgänger’s campaign speak to more cases of information warfare to come. As threat actors continue to exploit media and trending geopolitical and socio-economic current events, a combination of public awareness campaigns, social media literacy programs, and effective social media security policies will be much needed to minimize the threat of propaganda and disinformation online.

New Leak Shows Business Side of China’s APT Menace

/0 Comments/in /by

A new data leak that appears to have come from one of China’s top private cybersecurity firms provides a rare glimpse into the commercial side of China’s many state-sponsored hacking groups. Experts say the leak illustrates how Chinese government agencies increasingly are contracting out foreign espionage campaigns to the nation’s burgeoning and highly competitive cybersecurity industry.

A marketing slide deck promoting i-SOON’s Advanced Persistent Threat (APT) capabilities.

A large cache of more than 500 documents published to GitHub last week indicate the records come from i-SOON, a technology company headquartered in Shanghai that is perhaps best known for providing cybersecurity training courses throughout China. But the leaked documents, which include candid employee chat conversations and images, show a less public side of i-SOON, one that frequently initiates and sustains cyberespionage campaigns commissioned by various Chinese government agencies.

The leaked documents suggest i-SOON employees were responsible for a raft of cyber intrusions over many years, infiltrating government systems in the United Kingdom and countries throughout Asia. Although the cache does not include raw data stolen from cyber espionage targets, it features numerous documents listing the level of access gained and the types of data exposed in each intrusion.

Security experts who reviewed the leaked data say they believe the information is legitimate, and that i-SOON works closely with China’s Ministry of Public Security and the military. In 2021, the Sichuan provincial government named i-SOON as one of “the top 30 information security companies.”

“The leak provides some of the most concrete details seen publicly to date, revealing the maturing nature of China’s cyber espionage ecosystem,” said Dakota Cary, a China-focused consultant at the security firm SentinelOne. “It shows explicitly how government targeting requirements drive a competitive marketplace of independent contractor hackers-for-hire.”

Mei Danowski is a former intelligence analyst and China expert who now writes about her research in a Substack publication called Natto Thoughts. Danowski said i-SOON has achieved the highest secrecy classification that a non-state-owned company can receive, which qualifies the company to conduct classified research and development related to state security.

i-SOON’s “business services” webpage states that the company’s offerings include public security, anti-fraud, blockchain forensics, enterprise security solutions, and training. Danowski said that in 2013, i-SOON established a department for research on developing new APT network penetration methods.

APT stands for Advanced Persistent Threat, a term that generally refers to state-sponsored hacking groups. Indeed, among the documents apparently leaked from i-SOON is a sales pitch slide boldly highlighting the hacking prowess of the company’s “APT research team” (see screenshot above).

i-SOON CEO Wu Haibo, in 2011. Image: nattothoughts.substack.com.

The leaked documents included a lengthy chat conversation between the company’s founders, who repeatedly discuss flagging sales and the need to secure more employees and government contracts. Danowski said the CEO of i-SOON, Wu Haibo (“Shutdown” in the leaked chats) is a well-known first-generation red hacker or “Honker,” and an early member of Green Army — the very first Chinese hacktivist group founded in 1997. Mr. Haibo has not yet responded to a request for comment.

In October 2023, Danowski detailed how i-SOON became embroiled in a software development contract dispute when it was sued by a competing Chinese cybersecurity company called Chengdu 404. In September 2021, the U.S. Department of Justice unsealed indictments against multiple Chengdu 404 employees, charging that the company was a facade that hid more than a decade’s worth of cyber intrusions attributed to a threat actor group known as “APT 41.”

Danowski said the existence of this legal dispute suggests that Chengdu 404 and i-SOON have or at one time had a business relationship, and that one company likely served as a subcontractor to the other.

“From what they chat about we can see this is a very competitive industry, where companies in this space are constantly poaching each others’ employees and tools,” Danowski said. “The infosec industry is always trying to distinguish [the work] of one APT group from another. But that’s getting harder to do.”

It remains unclear if i-SOON’s work has earned it a unique APT designation. But Will Thomas, a cyber threat intelligence researcher at Equinix, found an Internet address in the leaked data that corresponds to a domain flagged in a 2019 Citizen Lab report about one-click mobile phone exploits that were being used to target groups in Tibet. The 2019 report referred to the threat actor behind those attacks as an APT group called Poison Carp.

Several images and chat records in the data leak suggest i-SOON’s clients periodically gave the company a list of targets they wanted to infiltrate, but sometimes employees confused the instructions. One screenshot shows a conversation in which an employee tells his boss they’ve just hacked one of the universities on their latest list, only to be told that the victim in question was not actually listed as a desired target.

The leaked chats show i-SOON continuously tried to recruit new talent by hosting a series of hacking competitions across China. It also performed charity work, and sought to engage employees and sustain morale with various team-building events.

However, the chats include multiple conversations between employees commiserating over long hours and low pay. The overall tone of the discussions indicates employee morale was quite low and that the workplace environment was fairly toxic. In several of the conversations, i-SOON employees openly discuss with their bosses how much money they just lost gambling online with their mobile phones while at work.

Danowski believes the i-SOON data was probably leaked by one of those disgruntled employees.

“This was released the first working day after the Chinese New Year,” Danowski said. “Definitely whoever did this planned it, because you can’t get all this information all at once.”

SentinelOne’s Cary said he came to the same conclusion, noting that the Protonmail account tied to the GitHub profile that published the records was registered a month before the leak, on January 15, 2024.

China’s much vaunted Great Firewall not only lets the government control and limit what citizens can access online, but this distributed spying apparatus allows authorities to block data on Chinese citizens and companies from ever leaving the country.

As a result, China enjoys a remarkable information asymmetry vis-a-vis virtually all other industrialized nations. Which is why this apparent data leak from i-SOON is such a rare find for Western security researchers.

“I was so excited to see this,” Cary said. “Every day I hope for data leaks coming out of China.”

That information asymmetry is at the heart of the Chinese government’s cyberwarfare goals, according to a 2023 analysis by Margin Research performed on behalf of the Defense Advanced Research Projects Agency (DARPA).

“In the area of cyberwarfare, the western governments see cyberspace as a ‘fifth domain’ of warfare,” the Margin study observed. “The Chinese, however, look at cyberspace in the broader context of information space. The ultimate objective is, not ‘control’ of cyberspace, but control of information, a vision that dominates China’s cyber operations.”

The National Cybersecurity Strategy issued by the White House last year singles out China as the biggest cyber threat to U.S. interests. While the United States government does contract certain aspects of its cyber operations to companies in the private sector, it does not follow China’s example in promoting the wholesale theft of state and corporate secrets for the commercial benefit of its own private industries.

Dave Aitel, a co-author of the Margin Research report and former computer scientist at the U.S. National Security Agency, said it’s nice to see that Chinese cybersecurity firms have to deal with all of the same contracting headaches facing U.S. companies seeking work with the federal government.

“This leak just shows there’s layers of contractors all the way down,” Aitel said. “It’s pretty fun to see the Chinese version of it.”

Feds Seize LockBit Ransomware Websites, Offer Decryption Tools, Troll Affiliates

/0 Comments/in /by

U.S. and U.K. authorities have seized the darknet websites run by LockBit, a prolific and destructive ransomware group that has claimed more than 2,000 victims worldwide and extorted over $120 million in payments. Instead of listing data stolen from ransomware victims who didn’t pay, LockBit’s victim shaming website now offers free recovery tools, as well as news about arrests and criminal charges involving LockBit affiliates.

Investigators used the existing design on LockBit’s victim shaming website to feature press releases and free decryption tools.

Dubbed “Operation Cronos,” the law enforcement action involved the seizure of nearly three-dozen servers; the arrest of two alleged LockBit members; the unsealing of two indictments; the release of a free LockBit decryption tool; and the freezing of more than 200 cryptocurrency accounts thought to be tied to the gang’s activities.

LockBit members have executed attacks against thousands of victims in the United States and around the world, according to the U.S. Department of Justice (DOJ). First surfacing in September 2019, the gang is estimated to have made hundreds of millions of U.S. dollars in ransom demands, and extorted over $120 million in ransom payments.

LockBit operated as a ransomware-as-a-service group, wherein the ransomware gang takes care of everything from the bulletproof hosting and domains to the development and maintenance of the malware. Meanwhile, affiliates are solely responsible for finding new victims, and can reap 60 to 80 percent of any ransom amount ultimately paid to the group.

A statement on Operation Cronos from the European police agency Europol said the months-long infiltration resulted in the compromise of LockBit’s primary platform and other critical infrastructure, including the takedown of 34 servers in the Netherlands, Germany, Finland, France, Switzerland, Australia, the United States and the United Kingdom. Europol said two suspected LockBit actors were arrested in Poland and Ukraine, but no further information has been released about those detained.

The DOJ today unsealed indictments against two Russian men alleged to be active members of LockBit. The government says Russian national Artur Sungatov used LockBit ransomware against victims in manufacturing, logistics, insurance and other companies throughout the United States.

Ivan Gennadievich Kondratyev, a.k.a. “Bassterlord,” allegedly deployed LockBit against targets in the United States, Singapore, Taiwan, and Lebanon. Kondratyev is also charged (PDF) with three criminal counts arising from his alleged use of the Sodinokibi (aka “REvil“) ransomware variant to encrypt data, exfiltrate victim information, and extort a ransom payment from a corporate victim based in Alameda County, California.

With the indictments of Sungatov and Kondratyev, a total of five LockBit affiliates now have been officially charged. In May 2023, U.S. authorities unsealed indictments against two alleged LockBit affiliates, Mikhail “Wazawaka” Matveev and Mikhail Vasiliev.

Vasiliev, 35, of Bradford, Ontario, Canada, is in custody in Canada awaiting extradition to the United States (the complaint against Vasiliev is at this PDF). Matveev remains at large, presumably still in Russia. In January 2022, KrebsOnSecurity published Who is the Network Access Broker ‘Wazawaka,’ which followed clues from Wazawaka’s many pseudonyms and contact details on the Russian-language cybercrime forums back to a 31-year-old Mikhail Matveev from Abaza, RU.

An FBI wanted poster for Matveev.

In June 2023, Russian national Ruslan Magomedovich Astamirov was charged in New Jersey for his participation in the LockBit conspiracy, including the deployment of LockBit against victims in Florida, Japan, France, and Kenya. Astamirov is currently in custody in the United States awaiting trial.

LockBit was known to have recruited affiliates that worked with multiple ransomware groups simultaneously, and it’s unclear what impact this takedown may have on competing ransomware affiliate operations. The security firm ProDaft said on Twitter/X that the infiltration of LockBit by investigators provided “in-depth visibility into each affiliate’s structures, including ties with other notorious groups such as FIN7, Wizard Spider, and EvilCorp.”

In a lengthy thread about the LockBit takedown on the Russian-language cybercrime forum XSS, one of the gang’s leaders said the FBI and the U.K.’s National Crime Agency (NCA) had infiltrated its servers using a known vulnerability in PHP, a scripting language that is widely used in Web development.

Several denizens of XSS wondered aloud why the PHP flaw was not flagged by LockBit’s vaunted “Bug Bounty” program, which promised a financial reward to affiliates who could find and quietly report any security vulnerabilities threatening to undermine LockBit’s online infrastructure.

This prompted several XSS members to start posting memes taunting the group about the security failure.

“Does it mean that the FBI provided a pentesting service to the affiliate program?,” one denizen quipped. “Or did they decide to take part in the bug bounty program? :):)”

Federal investigators also appear to be trolling LockBit members with their seizure notices. LockBit’s data leak site previously featured a countdown timer for each victim organization listed, indicating the time remaining for the victim to pay a ransom demand before their stolen files would be published online. Now, the top entry on the shaming site is a countdown timer until the public doxing of “LockBitSupp,” the unofficial spokesperson or figurehead for the LockBit gang.

“Who is LockbitSupp?” the teaser reads. “The $10m question.”

In January 2024, LockBitSupp told XSS forum members he was disappointed the FBI hadn’t offered a reward for his doxing and/or arrest, and that in response he was placing a bounty on his own head — offering $10 million to anyone who could discover his real name.

“My god, who needs me?,” LockBitSupp wrote on Jan. 22, 2024. “There is not even a reward out for me on the FBI website. By the way, I want to use this chance to increase the reward amount for a person who can tell me my full name from USD 1 million to USD 10 million. The person who will find out my name, tell it to me and explain how they were able to find it out will get USD 10 million. Please take note that when looking for criminals, the FBI uses unclear wording offering a reward of UP TO USD 10 million; this means that the FBI can pay you USD 100, because technically, it’s an amount UP TO 10 million. On the other hand, I am willing to pay USD 10 million, no more and no less.”

Mark Stockley, cybersecurity evangelist at the security firm Malwarebytes, said the NCA is obviously trolling the LockBit group and LockBitSupp.

“I don’t think this is an accident—this is how ransomware groups talk to each other,” Stockley said. “This is law enforcement taking the time to enjoy its moment, and humiliate LockBit in its own vernacular, presumably so it loses face.”

In a press conference today, the FBI said Operation Cronos included investigative assistance from the Gendarmerie-C3N in France; the State Criminal Police Office L-K-A and Federal Criminal Police Office in Germany; Fedpol and Zurich Cantonal Police in Switzerland; the National Police Agency in Japan; the Australian Federal Police; the Swedish Police Authority; the National Bureau of Investigation in Finland; the Royal Canadian Mounted Police; and the National Police in the Netherlands.

The Justice Department said victims targeted by LockBit should contact the FBI at https://lockbitvictims.ic3.gov/ to determine whether affected systems can be successfully decrypted. In addition, the Japanese Police, supported by Europol, have released a recovery tool designed to recover files encrypted by the LockBit 3.0 Black Ransomware.

The Good, the Bad and the Ugly in Cybersecurity – Week 7

/0 Comments/in /by

The Good | Back-to-Back FBI Ops Disrupt Major RAT Infrastructure & GRU Spy Network

This week counted two wins for the FBI in the fight against malicious activities orchestrated by cybercriminals and state-sponsored hackers.

First, the Bureau dismantled an extensive cybercrime operation revolving around the Warzone remote access trojan (RAT). Daniel Meli, a 27-year-old Maltese resident linked to the operation, was arrested for his role in spreading the malware. Warzone RAT was first created in 2018 and is often seen in attacks involving hidden remote desktops, keylogging, reverse proxies, remote shells, UAC bypassing, as well as cookie and password theft.

Meli’s arrest and the seizure of Warzone RAT’s primary website warzone[.ws] is the result of transnational cooperation between Maltese authorities and the U.S. DoJ. He faces 15 years in prison under the charges of unauthorized damage to protected computers, the illegal sale and advertisement of electronic interception devices, and conspiring to commit various computer intrusion offenses.

Warzone RAT website seizure

Just days later, the FBI announced the success of Operation Dying Ember, a court-ordered effort that took down a botnet comprising Ubiquiti Edge OS routers infected with Moobot malware. The malware was reportedly operated by Russia’s Main Intelligence Directorate of the General Staff (GRU), also tracked as APT28 or Fancy Bear.

The GRU’s use of pre-existing malware like Moobot speaks to blurred lines between cybercriminal and state-sponsored tactics, challenging traditional threat detection methods. In this case, the GRU hackers had leveraged the malware and effectively repurposed the botnet to deploy their own custom cyber espionage tool. FBI agents have since countered the hackers by using Moobot to delete stolen data, malicious files, and the malware itself before blocking remote access that would have allowed GRU operations to reinfect the routers.

The Bad | RansomHouse Attackers Launch New Tool to Automate VMware ESXI Attacks

RansomHouse has recently introduced a new tool called ‘MrAgent’, designed to automate the deployment of its data encrypter across multiple VMware ESXi hypervisors. The ransomware-as-a-service (RaaS) operators have been known to target large organizations and high-value victims since its inception in March of 2022. ESXi servers are a prime target for ransomware groups due to their role in hosting virtual computers that often hold valuable data and critical business applications, amplifying the impact of attack.

Based on latest research reports, MrAgent streamlines RansomHouse’s attacks on ESXi systems by identifying host systems, disabling firewalls, and automating ransomware deployment across multiple hypervisors simultaneously. This tool supports custom configurations received from the command-and-control (C2) server, allowing for tailored ransomware deployment and execution of local commands on the hypervisor. It works by minimizing the chances of detection while targeting all reachable virtual machines (VMs) at once to increase the impact of the attack campaign.

Threat actors will continue to focus on automating their tactics to conduct faster, more effective campaigns. For example, SentinelLabs this week identified threat actors moving workloads previously handled by traditional web servers to the cloud in order to bulk send SMS messages through SNS Sender, a Python script that uses AWS Simple Notification Service (SNS) for the purpose of spamming phishing links.

For threat actors, automation enables them to scale their operations and rapidly deploy attacks. This helps maximize their chances of success, streamline their time and resources, and maintain consistency across attack campaigns. By automating repetitive tasks, threat actors are also able to devote more time to developing sophisticated attack techniques and novel ways of evading detection.

The Ugly | Water Hydra APT Exploits Microsoft Zero-Day to Target Financial Traders

A zero-day vulnerability (CVE-2024-21412) that bypasses Microsoft Defender SmartScreen is under active exploitation by an advanced persistent threat (APT) actor called Water Hydra (aka DarkCasino). In a report this week, cybersecurity researchers revealed the threat actor’s tactics currently focused on leveraging the flaw to distribute the DarkMe malware.

CVE-2024-21412 revolves around the processing of Internet Shortcut Files (.url) and a technology called ‘Mark of the Web’ (MOTW). Applications that download files from the internet are supposed to tag them with the MOTW attribute to indicate their origin. When these files are executed, the presence of the MOTW attribute tells Windows Defender SmartScreen to alert users if the file is potentially malicious or to take other security measures. Water Hydra attackers discovered that the MOTW attribute is not attached to a file when it is executed through a series of shortlinks, and thus the file bypasses examination by Windows Defender SmartScreen.

The attack campaign currently targets financial market traders by spreading malicious internet shortcut files via forex trading forums and Telegram channels. Using social engineering tactics, Water Hydra tricks victims into executing the malware, which comes equipped with capabilities for further exploitation and data exfiltration. The attackers then deliver DarkMe malware, a Visual Basic trojan, which downloads and executes additional instructions after registering with a command-and-control (C2) server. DarkMe enables Water Hydra attackers to create and delete folders, execute shell commands, and enumerate folder content.

In a previous attack campaign, Water Hydra exploited CVE-2023-38831, another high-severity vulnerability (CVSS score: 7.8) in the WinRAR software, to install malware and breach online cryptocurrency trading accounts.

These campaigns underscore Water Hydra’s adeptness at discovering and exploiting zero-day vulnerabilities and emphasizes the fact that a tight relationship between security software and the OS vendor is a weak point that threat actors continue to exploit.

PinnacleOne Alert | Russian Space-Based Nuclear Anti-Satellite Weapon

/0 Comments/in /by

Key Takeaways

  • Russia is likely developing, but has not fully deployed, a nuclear-weapon based anti-satellite system (which would be a treaty violation).
  • This system would threaten to destroy wide swaths of military and commercial systems in low and medium earth orbit, create ground effects, and complicate strategic deterrence.
  • The USG is peeling back the curtain, slightly, on the increasing weaponization of space to alert the broader public to the consequences to economic and geopolitical stability.
  • Firms should incorporate assessments of space-based threats (human and natural) to the core capabilities they rely on to conduct their operations, especially satellite communications, position/navigation/timing, and ground-based systems with space-based dependencies.

Recommendations

Organizations that have to this point assumed the reliability and availability of space systems should conduct scenario-based planning and exercises to improve enterprise resilience.

Executives should ask:

  • How would my business function if satellite communications, GPS, or regional electrical infrastructure were interrupted or degraded for weeks or months?

  • What would we expect to be a collateral consequence of the overt weaponization of space or outright space conflict for terrestrial geopolitical and economic affairs?

  • How do we attempt to better understand and assess the implications of these normally highly classified and deeply shrouded government activities on my commercial objectives?

  • How do we as an organization build more resilience and redundancy into our service providers for essential communications and PNT capabilities?

What Happened?

Multiple sources reported Russia is in the process of developing a space-based anti-satellite (ASAT) nuclear weapons system that would be strategically destabilizing if made operational. Sources told the NYT that Russia “does not appear close to deploying” a nuclear weapon itself, and it is not considered an “urgent threat”. However, there is a “limited window of time, which they did not define, to prevent its deployment.”

While NPR’s sources were not certain if the capability was based on a nuclear weapon or merely nuclear powered, the Washington Post’s reporting squared with the NYT, quoting officials familiar that it involved “damaging critical intelligence or communications satellites with a nuclear weapon.”

Why Does it Matter?

The objective of such a system is to create a form of “area-denial” via electromagnetic interference and radiation effects on satellites in orbit. Deploying nuclear weapons into space is prohibited by the 1967 Outer Space Treaty (negotiated between the U.S. and the Soviet Union).

A nuclear weapon detonated in space can function as an “orbital area denial” system.
A nuclear weapon detonated in space can function as an “orbital area denial” system. (Source)

This intelligence comes in the context of Russia’s known heavy investments in superoruzhie (“superweapons”), as an asymmetric strategy to counter U.S. technical overmatch. From the Status-6 megaton nuclear torpedo, to the M730 Burevestnik nuclear-powered cruise missile, Avangard hypersonic glide vehicle, and 9M730 Burevestnik nuclear-powered cruise missile, this new nuclear ASAT system continues a pattern of developing weapons that strike fear of catastrophic destruction to maintain a strategic balance.

It is noteworthy that these reports come soon after the Russian’s launched Kosmos-2575 (a national security related payload) on 09FEB24 in a way that made it coplanar to Kosmos-2574 launched on 27DEC23. The US Space Force confirmed these satellites have identical orbital parameters. These launches are similar to those Russia conducted in 2022 of “inspector satellites” that can maneuver in orbit and “exhibited characteristics of a space weapon” but are not alleged to be nuclear in nature.

What Is the U.S. Saying?

Attentive observers would have seen, on 13JAN24, the Deputy Secretary of Defense post to X: “The United States is committed to leading with restraint and responsibility in the space domain — and in every domain. We do our part to avoid escalation. We strive to prevent miscommunication. And we work with like-minded nations to keep the space domain peaceful.”

The next day on 14JAN24, Deputy Secretary of Defense Hicks posted, “Space can be a domain of unpredictability, chaos, and destruction… or a domain of stability, tranquility, and possibility. For the good of all mankind, the United States emphatically chooses the latter – and we strongly encourage all nations to do the same.” In retrospect, this seems like a clear expression of displeasure directed at the Russians for their moves to covertly weaponize and destabilize the space domain.

It comes soon after Hicks signed an order rewriting the DoD’s classification policy for space in order to downgrade information previously locked up in Special Access Programs for broader dissemination with allies and partners. Back in 2021, General Hynten (Vice Chairman of the Joint Chiefs of Staff) told the National Security Space Association: “In space, we over-classify everything… Deterrence does not happen in the classified world. Deterrence does not happen in the black; deterrence happens in the white.”

The Washington Examiner reported that “Russian physicists have openly theorized plans to develop a space-based nuclear warhead system that would vaporize a second target-facing element to create a plasma wave that strikes targets in space at range.”

Technical Background

With this disclosure, the U.S. will now have to determine how to respond and how much of this response it needs to make public. Rep. Turner’s statement and presentation of relevant intelligence to the entire House has put his colleagues in the Senate and the White House in a difficult position as they deliberate on a response that preserves geopolitical and strategic flexibility.

A Defense Threat Reduction Agency report found that “one low-yield (10-20 kt), high altitude (125-300 km) nuclear explosion could disable — in weeks to months — all LEO [low earth orbit] satellites not specifically hardened to withstand radiation generated by that explosion.” They note a strategic objective of such an attack would be a “deliberate effort to cause economic damage with lower likelihood of nuclear retaliation.. by [a] rogue state facing economic strangulation or imminent military defeat or [p]ose economic threat to the industrial world without causing human casualties or visible damage to economic infrastructure.”

Prompt/direct nuclear effects against ground and air infrastructure via a high altitude electromagnetic pulse (HEMP) would be immediate, though somewhat localized under the detonation. Within weeks, however, the accumulating degradation against LEO assets would cause global disruption to most orbital telecommunications assets.

Also, the Pentagon highlighted in its annual report on the People’s Republic of China military that “the PRC is developing other sophisticated space-based capabilities, such as satellite inspection and repair. At least some of these capabilities could also function as a weapon.”

Given that, for now it appears, Russia has not yet deployed nuclear weapons themselves into orbit, there is time for crisis management, strategic signaling, and deterrence options. However, if they come close to putting, or actually put, a nuclear “package” into space in violation of the OST, then the U.S. would be facing an immediate strategic crisis on par with the Cuban Missile Crisis, at a time when leaders have their hands full with international crises and geopolitical flashpoints.

High Altitude Nuclear Detonations (HANDs) generate strong belt-pumping effects that dramatically reduce the lifetime of LEO satellite constellations
High Altitude Nuclear Detonations (HANDs) generate strong belt-pumping effects that dramatically reduce the lifetime of LEO satellite constellations (Source: DTRA)

What Should Executives Know?

While this remains in the strategic and orbital sphere for now, the implications for terrestrial communications systems, the emerging space economy, and global peace are deeply concerning. Further, this action by Russia is meant to serve as a cross-domain deterrent to shape conventional conflicts and diplomacy on the ground, casting the dynamics of the Ukrainian war in the light of its implicit threat to make a mess of things in space.

This development sheds public light on an issue that those in the intelligence and defense communities have been concerned with for years – namely, the fragility of global communications and position, navigation, and timing (PNT) systems to disruption or destruction in space.

More now recognize that space is the source of novel risks for a global economy dependent on orbital systems: space weather and solar flares, proliferating directed energy and electromagnetic warfare systems (both ground based and space-based), cyberattacks on space-systems, and the worrying prospect of orbital nuclearization create an escalating and complex risk environment.

Kryptina RaaS | From Underground Commodity to Open Source Threat

/0 Comments/in /by

One of the key drivers behind the explosion in ransomware attacks over the last five years and more has been the development and proliferation of the ransomware-as-a-service model, a means of providing cybercriminals with easy to use, low cost tools with which to undertake and manage ransomware campaigns. Developers benefit from a steady stream of income from subscription sales while avoiding directly engaging in criminal acts. The recently observed Kryptina Raas, a dedicated Linux attack framework, has added a new twist to this model: moving from a paid service to an openly available tool.

In this post, we explore the development, technicalities and implications of Kryptina RaaS and its move into open-source crimeware. We dive into what defenders need to know to protect against this latest Linux ransomware and the dangers that open source threats pose to organizations.

The Development of Kryptina RaaS

The Kryptina RaaS first surfaced in December 2023 on underground forums, marketed as a lightweight, fast, and highly customizable ransomware solution for Linux systems. Authored in C, it offered an attractive proposition for cybercriminals looking for efficient ways to target the Linux servers and cloud workloads that form the backbone of many organization’s networks.

Initially, two purchase options were available: a standalone build (encryptor and decryptor) for $20, and a complete package including source code, builder, and documentation for $500. The developer quickly added new features in January including support for both 32 and 64-bit targets, an updated web interface and support for Monero (XMR) and Bitcoin (BTC) payments. The complete package price went up to $800 with the addition of these new features. This pricing strategy was indicative of the creator’s intention to cater to a wide range of actors within the cybercriminal ecosystem.

February saw a surprising turn of events as the creator, known as ‘Corlys’, published the entire source code on BreachForums, effectively removing any financial barrier to entry.

The developer’s stated reasons for releasing the source code of Kryptina were that it had failed to attract buyers. Given the short period of time between its first appearance as a paid offering and release of the open source code, some may not find this credible. Other motivations could include an attempt to build kudos within the cybercrime community, feuds with other criminals and/or fear of attention from law enforcement.

Kryptina 2.2 source code posting in BreachForums
Kryptina 2.2 source code posting in BreachForums

Whatever the motivation, the release of the RaaS source code, complete with extensive documentation, could have significant implications for the spread and impact of ransomware attacks against Linux systems. It is likely to increase the ransomware builder’s attractiveness and usability, drawing in yet more low-skilled participants to the cybercrime ecosystem. There is also significant risk that it will lead to the development of multiple spin-offs and an increase in attacks, an effect previously observed after the leak of Babuk ransomware’s source code.

Kryptina Payload | Technical Details

As noted, Kryptina is a Linux-only ransomware offering payloads for either elf64 or elf32 architectures. Upon execution, the ransomware targets the directories and files specified in the builder during the configuration stage.

The encryption process uses multiple parallel threads and depends on OpenSSL’s libcrypto library. It uses the AES256 algorithm in CVC mode. The keys and configuration data are obfuscated via XOR using a custom value defined at build time, and then base64 encoded.

File encryption is handled by the krptna_process_file() function. This initializes an OpenSSL cipher context EVP_CIPHER_CTX_new() before processing file streams via EVP_CipherUpdate() to transform unencrypted file data to the encrypted data in the output buffer. EVP_CipherFinal finalizes the processes and handles any required CBC padding.

Payloads can be configured to securely delete files before encryption, further hampering any data recovery efforts. When enabled, multiple steps are taken to overwrite individual file data and inhibit recovery. The secure_delete_file() function determines the file size using the stat function. It then creates a buffer filled with random bytes. The file to be encrypted is then opened in write mode, and the buffer of random bytes is written into the file, completely overwriting its original content, until it matches the file’s original size. Once this is achieved, the file is permanently removed using the unlink function.

“Secure deletion” in Kryptina
“Secure deletion” in Kryptina

The secure_delete_file() function utilizes a single-pass method, overwriting each byte of the file just once, avoiding using multiple overwrites with varying patterns seen in other ransomware. A single pass is generally adequate for rendering the original data unrecoverable and increases the speed of encryption.

Kryptina Web Interface & Builder

Kryptina’s architecture is built on a foundation of Python scripts for the payload builder and web server components, requiring dependencies like pycrypto, termcolor, flask, and others for full functionality. The tool’s source code is well-documented, reflecting an intent to provide Kryptina as a turnkey solution.

As noted, since its appearance Kryptina underwent several rapid revisions, with version 2.0 introducing significant enhancements including a web interface. The web server, powered by Flask, allows the user to easily view and manage campaigns, build encryptors and decryptors and to communicate with victims via the ‘Chat’ option. If the operator configures “Enable Public View” for the campaign, victims are able to initiate contact with the attacker following instructions provided in the ransom note.

Within the interface, the ‘Dashboard’ displays a quick view of attack campaigns
Within the interface, the ‘Dashboard’ displays a quick view of attack campaigns

The builder supports a wide range of command-line arguments for specifying target names, descriptions, encryption keys, directories or files to target, and more. This level of customization underscores Kryptina’s versatility and the granular control it offers to operators.

The builder can also be scripted with Python and supports the following command-line parameters.

Arg Description
-n Name of your target
-a About, A short description about your target
-k Base64-encoded 256-bit key to use (default: random)
-t Directories or files to target (comma-separated)
-i Files/extensions to ignore (comma-separated)
-e Custom extension to use (default: .krptna)
-j Max number of jobs (threads) to use (default: 20)
–arch32 Create a 32-bit binary (x86)
–xor_key The XOR key to use for encoding encrypted config data (default: 155)
–note The local file containing the encryption notice text (default: note/template.txt)
–note_name The absolute/relative filename to write encryption notice to on target
–nonote Don’t write encryption note on the target
–bitcoin Bitcoin wallet address for receiving payment
–monero Monero wallet address for receiving payment
–amount The amount to ask for in USD (default: 100.0)
–deadline The payment deadline in hours (default: 72.0)
–tox The Tox chat ID you wish to be contacted on
–session The Session chat ID you wish to be contacted on
–debug Enable debug output
–demo Create a demo payload that doesn’t actually encrypt/decrypt files
–symbols Build binary with debug symbols (-ggdb3)
–nolog Don’t log payload config to the output/ directory
–persist Disable payload self-delete
–secdel Enable secure delete when encrypting files (very slow, but makes recovery much harder)
–maxsize Maximum size of file (in megabytes) to target (default: unlimited)
–recommend Auto-set recommended values for undefined parameters
–static Build the payloads as static binaries
–verbose Print compiler commands and output

SentinelOne Protects Against Kryptina Ransomware

SentinelOne Singularity detects Kryptina payloads and protects Linux systems against Kryptina ransomware. When allowed to execute in ‘Detect Only’ mode for observation purposes, Kryptina’s malicious behavior along with indicators can be viewed in the Management console.

SentinelOne protects against Kryptina ransomware
SentinelOne protects against Kryptina ransomware

Conclusion | Navigating the Kryptina Threat to Linux Systems

The journey of Kryptina RaaS from a paid underground tool to a freely available open-source project illustrates the complexity of threats facing network defenders. As other actors iterate on the provided code, which provides everything from customizable ransomware payloads to campaign management and victim communication, it is likely that a host of Kryptina variants will proliferate in much the same way as we saw Babuk variants multiply and diversify.

As the move to cloud and cloud workloads and containers continues apace, the attractiveness of Linux as a target for cybercriminals grows with it. Powering everything from edge devices to servers, orchestration technologies like Kubernetes, and cloud infrastructure like AWS, Azure and Google Cloud, Linux systems are at the heart of modern enterprise environments, and securing them is essential.

To learn how SentinelOne can help protect the Linux systems in your organization from ransomware and other threats, contact us or request a free demo.

Indicators of Compromise

Source files

03bbfdbad1d1fd93d6c76de9a61e9cfc49e7e319
095538ff7643b0c142335c978bfe83d32a68cdac
1f08d9d0fe90d572a1bb0488ffe60e9f20c11002
226aea1e37bc2d809115ceb6ac5ea99e62d759c9
2aa6a1019c16f4142888278098f0c3263e95e446
33306b854770f95d0a164932d72bec1f78de54bf
51acdb8f29726fe7d5b6207f106e7138b564fd39
5413adf32129d50c4984e406d5a3804435d1cfc1
60b5beffaf738f5112233ed9b36975822c1f7bfc
6f3c3129fc2ac56b61fa4df21e723f3dd2aceb70
8ec866aa48a9bb8d6df7fbbe1a073390f4b0098c
d0231ce29ea7a63bea7451c42d69e93c83babb48
d41b8a7bc9bc444372e06e67585a8086d6ae8cfc
d46fbc4a57dce813574ee312001eaad0aa4e52de
ddcf4a6bc32afe94e3ea955eead9db179d5394c2
e3e8ed6ac01e6edb8d8848b1472882afb0b36f0b
f84ffe172f9d6db18320ad69fc9eade46c41e9da

Payload Samples

355d70ffe98e6f22b6c3ad8d045e025a5ff78260
63580c4b49d350cf1701fb906c94318a683ae668
63ff8359da29c3ba8352ceb4939f2a3e64987ab6
dd495839a4f4db0331c72a4483071a1cef8da17e

MITRE ATT&CK

T1014  Defense Evasion
T1059.006  Command and Scripting Interpreter: Python
T1068  Privilege Escalation
T1070.003  Indicator Removal: Clear Command History
T1070.004  Indicator Removal: File Deletion
T1070.002  Indicator Removal: Clear Linux or Mac System Logs
T1140  Deobfuscate/Decode Files or Information
T1222.002  File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification
T1485  Data Destruction
T1486  Data Encrypted for Impact
T1562.001  Impair Defenses: Disable or Modify Tools
T1562.012  Impair Defenses: Disable or Modify Linux Audit System
T1573.002  Encrypted Channel: Asymmetric Cryptography

Singularity Cloud
Simplifying runtime detection and response of cloud VMs, containers, and Kubernetes clusters for maximum visibility, security, and agility.

Get a Demo

U.S. Internet Leaked Years of Internal, Customer Emails

/0 Comments/in /by

The Minnesota-based Internet provider U.S. Internet Corp. has a business unit called Securence, which specializes in providing filtered, secure email services to businesses, educational institutions and government agencies worldwide. But until it was notified last week, U.S. Internet was publishing more than a decade’s worth of its internal email — and that of thousands of Securence clients — in plain text out on the Internet and just a click away for anyone with a Web browser.

Headquartered in Minnetonka, Minn., U.S. Internet is a regional ISP that provides fiber and wireless Internet service. The ISP’s Securence division bills itself “a leading provider of email filtering and management software that includes email protection and security services for small business, enterprise, educational and government institutions worldwide.”

U.S. Internet/Securence says your email is secure. Nothing could be further from the truth.

Roughly a week ago, KrebsOnSecurity was contacted by Hold Security, a Milwaukee-based cybersecurity firm. Hold Security founder Alex Holden said his researchers had unearthed a public link to a U.S. Internet email server listing more than 6,500 domain names, each with its own clickable link.

A tiny portion of the more than 6,500 customers who trusted U.S. Internet with their email.

Drilling down into those individual domain links revealed inboxes for each employee or user of these exposed host names. Some of the emails dated back to 2008; others were as recent as the present day.

Securence counts among its customers dozens of state and local governments, including: nc.gov — the official website of North Carolina; stillwatermn.gov, the website for the city of Stillwater, Minn.; and cityoffrederickmd.gov, the website for the government of Frederick, Md.

Incredibly, included in this giant index of U.S. Internet customer emails were the internal messages for every current and former employee of U.S. Internet and its subsidiary USI Wireless. Since that index also included the messages of U.S. Internet’s CEO Travis Carter, KrebsOnSecurity forwarded one of Mr. Carter’s own recent emails to him, along with a request to understand how exactly the company managed to screw things up so spectacularly.

Individual inboxes of U.S. Wireless employees were published in clear text on the Internet.

Within minutes of that notification, U.S. Internet pulled all of the published inboxes offline. Mr. Carter responded and said his team was investigating how it happened. In the same breath, the CEO asked if KrebsOnSecurity does security consulting for hire (I do not).

[Author’s note: Perhaps Mr. Carter was frantically casting about for any expertise he could find in a tough moment. But I found the request personally offensive, because I couldn’t shake the notion that maybe the company was hoping it could buy my silence.]

Earlier this week, Mr. Carter replied with a highly technical explanation that ultimately did little to explain why or how so many internal and customer inboxes were published in plain text on the Internet.

“The feedback from my team was a issue with the Ansible playbook that controls the Nginx configuration for our IMAP servers,” Carter said, noting that this incorrect configuration was put in place by a former employee and never caught. U.S. Internet has not shared how long these messages were exposed.

“The rest of the platform and other backend services are being audited to verify the Ansible playbooks are correct,” Carter said.

Holden said he also discovered that hackers have been abusing a Securence link scrubbing and anti-spam service called Url-Shield to create links that look benign but instead redirect visitors to hacked and malicious websites.

“The bad guys modify the malicious link reporting into redirects to their own malicious sites,” Holden said. “That’s how the bad guys drive traffic to their sites and increase search engine rankings.”

For example, clicking the Securence link shown in the screenshot directly above leads one to a website that tries to trick visitors into allowing site notifications by couching the request as a CAPTCHA request designed to separate humans from bots. After approving the deceptive CAPTCHA/notification request, the link forwards the visitor to a Russian internationalized domain name (рпроаг[.]рф).

The link to this malicious and deceptive website was created using Securence’s link-scrubbing service. Notification pop-ups were blocked when this site tried to disguise a prompt for accepting notifications as a form of CAPTCHA.

U.S. Internet has not responded to questions about how long it has been exposing all of its internal and customer emails, or when the errant configuration changes were made. The company also still has not disclosed the incident on its website. The last press release on the site dates back to March 2020.

KrebsOnSecurity has been writing about data breaches for nearly two decades, but this one easily takes the cake in terms of the level of incompetence needed to make such a huge mistake unnoticed. I’m not sure what the proper response from authorities or regulators should be to this incident, but it’s clear that U.S. Internet should not be allowed to manage anyone’s email unless and until it can demonstrate more transparency, and prove that it has radically revamped its security.