Robin’s Newsletter #297

25 February 2024. Volume 7, Issue 8
LockBit comprehensively pwned by UK, US and EU law enforcement. Leak at Chiense security copmany gives insight into outsourcing of government attacks.
Join hundreds of subscribers who get this first, every Sunday. Subscribe

This week

LockBit comprehensively pwned in UK-led operation

  • UK, US and EU authorities disrupted operations of the LockBit cybercrime gang this week. ‘Operation Cronos’ saw the UK’s National Crime Agency “[gain] unprecedented and comprehensive access to LockBit’s systems.”
  • LockBit has been behind thousands of attacks against organisations over the last four years, including Royal Mail, Boeing, and the Commercial Bank of China. Officials estimate that they have extorted around $120 million in ransom payments over that period.
  • The operation resulted in 11,000 domains and 34 servers being seized, recovery of key material to help 2,000 victims, 200 cryptocurrency wallets being frozen, five people being charged in the US, two already in custody and another two being arrested in Ukraine and Poland this week.
  • The seizure notice on the dark web site parodied the site, showing press releases, advisories and decryptors as ‘published’ while a countdown to releasing information on the identity of a prominent member of the crew ticked down:

* chefs kiss *

  • The law enforcement trolling of the criminals continued the naming of screenshots — this_is_really_bad.png, oh_dear.png and doesnt_look_good.png — showing that officials had gained root access to servers and full access to the command and control admin panel. 
  • Sowing discord amongst the criminals, the takedown notice shows law enforcement knows that LockBit has employed 188 affiliates during its lifetime. They also teased that LockbitSupp — the name used on cybercrime forums by a senior member of the group — is known to law enforcement. “We know who he is. We know where he lives. We know how much he is worth,” says the notice, and “LockbitSupp has engaged with Law Enforcement :).” If I were an affiliate I’d be equally worried and furious right now.
  • However, some malware associated with the group has been identified among new victims this week, exploiting a critical vulnerability in ConnectWise’s Screen Connect software (below).
  • TechCrunch also has a good roundup of lessons learned: LockBit didn’t delete victims’ data, even if they paid up (quelle surprise); a PHP vulnerability was used to gain access to the servers; the operation began with an investigation two years ago. 
  • LINK, TROLLING, LOCKBITSUPP, SCREENCONNECT, LESSONS

Leak at commercial hackers-for-hire used by the Chinese Ministry of Public Security

  • A trove of documents was leaked this week belonging to I-Soon, a Chinese company that offers offensive security services and with ties to China’s Ministry of Public Security. The Associated Press has verified the authenticity of the documents with two employees at I-Soon. 
  • Amongst the documents are novel tools, service contracts, marketing presentations, tooling manuals, and client and employee lists. They also show the targeting of Uyghur Muslims in Xinjiang, dissidents in Hong Kong and regions that have staged anti-government protests, in keeping with the Ministry of Public Security’s ‘counter-terrorism’ remit.
  • While it shouldn’t come as a surprise that China has commercial ‘hacker-for-hire’ operators conducting offensive operations on its behalf, there are a couple of nuggets. Firstly, chat logs suggest that Chinese intelligence is funnelling vulnerabilities — which researchers are required by law to report to the government — to these organisations. And also that the work is pretty cheap: Dakota Cary from SenitelOne tells Risky Business News that I-Soon was competing for “low-value contracts from the state”. In one example I-Soon was paid $60,000 for compromising the Vietnamese government.
  • Risky Business News has a great roundup, including a dive into chat logs detailing the day-to-day life of I-Soon employees. (Spoiler alert: they’re overworked and underpaid).
  • AP, RBN

Interesting stats

45.9% of organisations have critical security debt, according to Veracode. LINK (H/T Simon). That debt represents around  15% of flaws in applications (3% being debt (>1yr old), and 12% being non-debt (<1yr old):

Of the 15% of critical flaws, 3% is debt, while 12% is non-debt (Source: Veracode)

~2/3 of those critical flaws are in third-party code: organisations aren’t good at updating libraries:

While first-party code makes up most of overall security debt, most critical security debt comes from third-party code. (Source: Veracode)

Other newsy bits / in brief

  • Post-quantum computing: iMessage is getting a cryptographic makeover to make Apple’s messaging service resistant to cracking using quantum computers. iMessage and Signal are the only messaging apps using the Kyber algorithm. Apple’s implementation augments its existing encryption with Kyber’s PQ3 algorithm, meaning an attacker must crack both to decrypt and read content. This week, Signal announced that username support is being rolled out so you can connect without sharing your phone number. IMESSAGE, SIGNAL.

  • Microsoft will offer expanded logging capabilities in its Purview Audit suite for free, just so long as you’re a US federal agency. Microsoft drew criticism (vol. 6, iss. 29) in the wake of a Chinese state compromise of its cloud email services after it came to light that the logging data needed to detect the suspicious activity was locked behind its most premium licence tier. No such luck if you’re a similarly targeted organisation: pony up your E5 licence payment to Redmond. LINK

⚠️ Breaches:

  • Wyze cameras leak footage to strangers for 2nd time in 5 months. 13,000 users could see video from IOT cameras that did not belong to them. LINK
  • An incident at Nashville-headquartered Change Healthcare is affecting pharmacies’ abilities to fill prescriptions across the US. LINK
  • U-Haul says 67,000 customers are affected by a records system breach. “Legitimate credentials” were used by an unauthorised party to view customer records in a system that manages reservations. LINK
  • Massive AT&T outage impacts US mobile subscribers. Tens of thousands of customers could not make or receive calls because of the “execution of an incorrect process” during a network upgrade. LINK

🏴‍☠️ Ransomware:

  • Industrial control: Cactus ransomware claims to have stolen 1.5TB of Schneider Electric data. Meanwhile, PSI Software, a German developer of control systems solutions, confirmed it had become a victim of a ransomware attack on 15th February. SCHNEIDER, PSI

🕵️ Threat Intel:

  • Knight ransomware source code is for sale after their leak site shuts down. LINK
  • New SSH-Snake malware steals SSH keys to spread across the network. LINK

🪲 Vulnerabilities:

  • ConnectWise Screen Connect is being actively exploited by cybercriminals, including LockBit (above), to deploy ransomware. The vulnerability, CVE-2024-1709 (10/10), in the remote access software (formerly known as ConnectWise Control) is “trivial and embarrassingly easy” to exploit, according to researchers at Huntress who discovered the flaw. LINK, ADVISORY
  • KeyTrap: A design flaw in DNSSEC, tracked as CVE-2023-50387 (7.5/10), affects all DNS resolvers and allows remote attacks to cause a denial of service of between 56 seconds to 16 hours with a single packet. The vulnerability, which has been present for over 20 years, stems from a requirement for servers to attempt to try all available keys against all signatures: setting up a malicious domain with many keys and many signatures all using the same key-tag ties the resolver up while it tries all the available permutations. You should update your resolver software if you’re an ISP or run DNS servers. LINK, DISCLOSURE
  • Joomla fixes XSS flaws that could expose sites to RCE attacks. Five vulnerabilities — CVE-2024-21722/23/24/25/26 — can allow attackers to execute code on affected websites running the content management system. LINK, ADVISORY

🧰 Guidance and tools:

  • Private branch exchange: NCSC best practices for businesses running their own PBX (telephone exchange) to prevent dial-through fraud. LINK

📜 Regulation:

  • The FTC has fined Avast $16.5 Million for selling browsing data harvested (vol. 3, iss. 5) by its antivirus product. LINK
  • The White House has issued an executive order to improve maritime cyber security “requiring vessels and waterfront facilities to mitigate cyber conditions that may endanger the safety of a vessel, facility, or harbor”. Mandatory reporting will also be introduced and the US Coast Guard will receive new powers to investigate and respond to cyber incidents in the sector. LINK

💰 Investments, mergers and acquisitions:

  • 1Password expands its endpoint security offerings with the acquisition of Kolide. LINK

🏭 Industry news:

  • Rob Joyce is retiring from the NSA at the end of March after 34 years at the agency. David Luber, former US Cyber Command executive director, has been named Joyce’s replacement. Plenty of time to tinker with your ‘absurd Christmas light shows,’ eh, Rob? LINK, LIGHTS

And finally

  • VoltSchemer: Very cool research from the University of Florida and CertiK using wireless chargers to affect devices. By manipulating the voltages precisely, they can heat devices to 280°C, destroy data, and send voice assistant commands (though the paper admits this is impractical in real life). LINK 
Robin

  Robin's Newsletter - Volume 7

  LockBit Ransomware National Crime Agency (NCA) Opeation Cronus Takedown Cybercrime China I-Soon Security debt Post-quantum computing (PQC) iMessage Signal Encryption ConnectWise VoltSchemer Wireless charing KeyTrap DNSSEC