By Deeba Ahmed
HinataBot can launch Distributed Denial of Service (DDoS) attacks reaching 3.3 TBPS. 
This is a post from HackRead.com Read the original post: Threat Actors Using Go-based HinataBot to launch DDoS Attacks

****The botnet is based on the Mirai botnet, and since it is actively updated, the new versions have additional features like functional improvements and anti-analysis.****

Akamai’s Security Intelligence Response Team (SIRT) cybersecurity researchers have discovered a brand-new botnet, dubbed HinataBot. This botnet can launch DDoS attacks of up to several terabytes in volume. Its distribution started earlier in 2023 and is still ongoing.

**New Botnet can Launch DDoS Attacks of 3.3 TBPS**

Akamai’s research report read that HinataBot can launch Distributed Denial of Service (DDoS) attacks reaching 3.3 TBPS. It is a Go-based botnet named after a character from the famous anime series, Naruto. While researching, Akamai’s honeypots detected this botnet as it tried to exploit old vulnerabilities, including CVE-2017-17215 and CVE-2014-8361.

The flaws impact Realtek SDS, Hadoop Yarn servers, and Huawei routers. To exploit these flaws, attackers use brute force, RCE payloads, and infection scripts. HinataBot evidence was found in Akamai’s SSH and HTTP honeypots, but researchers believe malware authors are actively updating it.

**What Makes Hinata Different?**

The researchers imitated the attackers’ C2 server with a range of reverse engineering techniques and simulated attacks to get a deeper understanding of the malware functionalities and its unique attributes. They learned that previously DDoS flooding attacks were launched over multiple protocols.

But, the recently discovered HinataBot uses only HTTP and UDP flooding techniques. Attackers exploit the miniigd SOAP service on Realtek SDK with CVE-2014-8361, exposed Hadoop YARN servers with an unspecified flaw, and Huawei HG532 routers with CVE-2017-17215.

**Attack Volume**

Akami noted that HinataBot’s DDoS attack’s packet size for HTTP reached 484 to 589 bytes whereas, for UDP packets, the size was considerably large at 65,549 bytes. It may seem low but could cause sufficient digital destruction for the targets.

Akamai, however, noted that the malware could generate over 20,000 requests and reach 3.4 MB whereas, with a thousand nodes, the attack data volume may reach 3.3 TBPS.

**Threat Actors Distributing Mirai Binaries**

Further probe revealed that the threat actors operating HinataBot distributed Mirai binaries. There are several nods to the open-source, Go-based botnet.

“HinataBot is the newest in the ever-growing list of emerging Go-based threats that includes botnets such as GoBruteForcer and the recently discovered (by SIRT) kmsdbot,” Akamai researchers noted.

The malware is based on the Mirai botnet, and since it is actively updated, the new versions have additional features like functional improvements and anti-analysis. Its previous versions supported UDP, HTTP, TCP, and ICMP floods, but the new version only supports UDP and HTTP.

1.  Akamai Mitigated Record-Breaking DDoS Attack
2.  RapperBot hits gaming servers with DDoS attacks
3.  Tor Network Hit By a Series of Ongoing DDoS Attacks

Threat Actors Using Go-based HinataBot to launch DDoS Attacks

This article has not been generated by ChatGPT. 
2022 was the year when inflation hit world economies, except in one corner of the global marketplace – stolen data. Ransomware payments fell by over 40% in 2022 compared to 2021. More organisations chose not to pay ransom demands, according to findings by blockchain firm Chainalysis.
Nonetheless, stolen data has value beyond a price tag, and in

_This article has not been generated by ChatGPT._

2022 was the year when inflation hit world economies, except in one corner of the global marketplace – stolen data. Ransomware payments fell by over 40% in 2022 compared to 2021. More organisations chose not to pay ransom demands, according to findings by blockchain firm Chainalysis.

Nonetheless, stolen data has value beyond a price tag, and in risky ways you may not expect. Evaluating stolen records is what Lab 1, a new cyber monitoring platform, believes will make a big difference for long-term cybersecurity resilience.

Think of data value this way:

*   Stolen credentials can become future phishing attacks
*   Logins for adult websites are potential extortion attempts
*   Travel and location data are a risk to VIPs and senior leadership,
*   And so on…

Hackers could retaliate for non-payment by simply posting their loot to forums where the data will be available for further enrichment and exploitation.

****Shining a light on dark places****

Even though your company may not have suffered a direct breach, your data may already be on the Dark Web. That is why Lab 1 gets hold of available data and contextualises it to assess risk.

The Dark Web started off as a closed network to protect dissidents. Now half of it is a popular backwater for criminal activity. According to the IMF, data marketplaces are the second most popular activity after pharma and recreational drugs.

Industry research in 2022 also found more than 24 billion username and password combinations on sale on the dark web, up from 15 billion in 2020. But there can be other records – intellectual property, accountancy documents, employee records and more.

Breaches end up being marketed by hackers with data descriptions and auction demands, often in Bitcoin. By getting hold of these records, no matter their value or half life, Lab 1 builds a picture of risk exposure.

****Chain reaction****

You may not think of your supply chain as a source of cybersecurity risk, but you should. 53% of organisations have had a data breach caused by third party information theft, according to Ponemon Institute.

Data breaches can and do spread outside the perimeter of your business. That's the insight that drives the Lab 1 platform. In an interconnected business, the tools you use, the agencies you hire, and the subcontractors you use to perform everyday business are all potential vectors of attack.

Say you're a client of a software vendor, and _their_ stolen data pack includes code access to the servers of various clients, it's likely to include yours. Or what if trip details of VIP customers get leaked and they're about to show up at an important conference?

****Monitor your supply chain****

Fallouts from cybersecurity breaches don't have to be inevitable. Lab 1 monitors, alerts and analyses data breaches across a company's entire supply chain by finding and contextualising data found on forums, messaging platforms and Dark Web marketplaces.

Using Lab 1, organisations can "follow" the companies they work with and get alerted if any of them have been breached that would pose a risk. This can be particularly useful for breach insurance and other risk-related provisions.

Because Lab 1 is finding new data entities by the second – 24bn to date – and is adding them to CiGraph, its graph database, the monitoring is continuous.

As and when incidents are recorded or data becomes available, Lab 1 systems provide a near-real-time alerting service called _Blast Radius_. It allows security teams to dig deeper on what happened.

****Control the network effect of breaches****

Every incident generates fallout that impacts other companies, sometimes in their thousands. Lab 1's _Fallout_ service details this network effect and how companies you follow (including your own) are impacted.

Lab 1 also details history, risk quantification, and recommended remedies, based on the nature and size of the breach. Helping to prevent attack, manage damage and view live risk quantification across thousands of suppliers, with the intention for businesses to build more robust supply chains.

**_To find out if there's a hidden data breach that involves your company, go to https://www.lab-1.io/, where CiGraph may yet reveal a Dark Web secret you didn't know you had._**

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

New Cyber Platform Lab 1 Decodes Dark Web Data to Uncover Hidden Supply Chain Breaches

Open source intelligence researchers are verifying and debunking opaque claims about who ruptured the gas pipelines in the Baltic Sea.

It’s been six months since the Nord Stream gas pipelines were ruptured by a series of explosions, leaking tons of methane into the environment and igniting an international whodunit. Russia, the United States, the United Kingdom, and an unnamed pro-Ukrainian group have all been accused of planting explosives on the Baltic Sea pipelines in recent months. But half a year since the sabotage took place, the mystery remains unsolved.

Digital sleuths are stepping in to help provide clarity around bombshell claims about who was behind the attacks. Open source intelligence (OSINT) researchers are using public sources of data in their efforts to verify or debunk the snippets of information published about the Nord Stream explosions. They’re providing a glimpse of clarity to an incident that’s shrouded by secrecy and international politics.

Since early February, multiple media reports have claimed to provide new information about who could have attacked the Nord Stream 1 and 2 pipelines on September 26. However, the reports have largely been based on anonymous sources, including unnamed intelligence officials and leaks from government investigations into the attacks.

First, American investigative journalist Seymour Hersh published claims that the US was behind attacks in a post on Substack. This was followed by reports in _The New York Times_ and German publication _Die Zeit_ claiming a pro-Ukrainian group was responsible. (European leaders have previously speculated Russia could be behind the attacks, and Russia has blamed the United Kingdom.) No country has claimed responsibility for the blasts so far, and official investigations are ongoing.

Each of the recent reports has provided little hard evidence to show what may actually have happened, while helping to fuel speculation. Jacob Kaarsbo, a senior analyst at Think Tank Europa, who previously worked in Danish intelligence for 15 years, says the claims have been “remarkable” but also “speculative” in nature. “In my mind, they don’t really alter the picture,” Kaarsbo says, adding the attacks look highly complex and would likely be “very hard to pull off without it being a state actor or at least with state sponsorship.”

In the absence of official information, OSINT researchers have been trying to plug the gaps by examining the claims of the new reports with public data. OSINT analysis is a powerful way to determine how an event may have unfolded. For instance, flight- and ship-tracking data can reveal movements around the world, satellite images show Earth in near real-time, while small clues in the backgrounds of photos and videos can reveal where they were taken. The techniques have uncovered Russian assassins, spotted North Korea evading international trading sanctions, identified potential war criminals, and documented pollution.

For the Nord Stream blasts, there was little OSINT available. Researchers identified “dark ships” in the area. But underwater, there are obviously limited data sources that can be tapped into—cameras and sensors don’t monitor every inch of the pipelines. “OSINT probably won’t break this case open, but it can be used to verify or strengthen other hypotheses,” says Oliver Alexander, an analyst who focuses on OSINT and has been closely looking at the Nord Stream blasts. “I do think that it’s more of a verification tool.”

Alexander and others have been examining the claims made so far. _The New York Times_ and _Die Zeit_ both published stories on March 7 claiming a Ukrainian group was behind the sabotage. (Ukraine has denied any involvement.) _Die Zeit_ published more details, claiming German investigators searched a yacht rented from a company based in Poland, knew where the yacht sailed from, and that six people were involved in the operation, including two divers. All of them used forged passports, the publication reported.

The details were enough for OSINT researchers to start tracking down which yacht could have been used. Alexander, as well as contributors to the open-source investigative outlet Bellingcat, started following the breadcrumbs, narrowing down potential vessels. A follow-up report soon named the boat under suspicion as the _Andromeda_, a 15-meter-long yacht. Webcam footage from the harbor where it is believed the _Andromeda_ was docked shows the movement of a boat around the time reported by the publications. (The _Andromeda_ is reportedly too small to be required to use ship-tracking systems.) Years-old videos and photos of the boat have surfaced. The sleuthing adds public details to the reports.

Similarly, OSINT has been used to debunk Hersh’s story claiming the United States was behind the explosions. (Hersh has defended his article, while US officials have said it was false.) Alexander has used, among other things, ship-tracking data to show Norwegian ships were “accounted for” and not in a “position to have placed the explosives on the Nord Stream pipeline, as claimed by Hersh.” Another detailed article from Norwegian journalists has similarly poured cold water on Hersh’s claims, partly using satellite data.

The sabotage was always likely to be controversial and surrounded by rumors: Russia’s full-scale invasion of Ukraine in February 2022 has heated global tensions and put pressure on diplomats around the world. There has been a whirlwind of disinformation around the blasts, further muddying the waters. Mary Blankenship, a disinformation researcher at the University of Nevada, Las Vegas, who has analyzed online conversations around the war, says the “high uncertainty and high stakes” of the incident help to fuel the spread of disinformation. 

“This is an issue that exploits existing worries, tensions, and grievances within European audiences,” Blankenship says. Initially, the earliest disinformation on Twitter about the explosions came from conspiracy theorists, Blankenship says, who shared a pre-war statement from US president Joe Biden, where he said there would be an “end” to Nord Stream 2 if Russia invaded Ukraine. Since then, Russia and China have taken to sharing unproven theories about the sabotage, the researcher says.

“Disinformation actors, but also official representatives of the \[Russian\] regime, stepped up their efforts on every news story that was published on this—however contradictory about the origins of the blast—be it a blog post by Seymour Hersh or a _New York Times_ article,” says Peter Stano, an EU spokesperson, adding most disinformation narratives have circled around the idea that “the US is to blame.” The EU’s disinformation monitoring project, EUvsDisinfo, has flagged more than 150 pieces of disinformation linked to the Nord Stream explosions, including those building on Hersh’s story. “EUvsDisinfo experts also found that Moscow considers the recent materials in German-language media a hoax,” Stano says.

While OSINT is helping to provide bits of extra detail on the claims about the Nord Stream attacks, it is likely that reports debunking dubious claims reach fewer people than disinformation or claims that are hard to verify. “It does not nearly get the same level of engagement,” Blankenship says. “You can have a book’s worth of evidence for it, and they would still find a way to discount it.”

And while OSINT research can answer some questions, it has its limits and can also raise new ones. Kaarsbo, the former Danish intelligence official, and other experts have pointed out that the _Andromeda_ is a relatively small yacht, and it may have been unable to carry the amount of explosives needed to blow the pipelines. “The _Andromeda_ is quite likely a piece of the puzzle, but I don’t think it’s a bigger piece of the puzzle that everyone makes it out to be,” Alexander says. “I think there are a lot of the big pieces missing.” Detailed sonar imagery of the damaged pipes would help people to understand what happened underwater, Alexander adds.

Ultimately, there is still very little hard public evidence—either from governments or publicly available online—about who may have been behind the attacks. Behind closed doors, intelligence agencies likely have more data and theories on the potential culprits. However, investigators in Sweden and Denmark refused to comment on their progress, while Germany’s Office of the Federal Prosecutor confirmed it had searched a yacht and is continuing to examine for explosives. German officials have also said there could be a chance of a “false flag” operation to smear Ukraine. And when the countries complete their investigations, there’s no guarantee they will publish their findings or evidence to back them up. The mystery continues.

Online Sleuths Untangle the Mystery of the Nord Stream Sabotage

Categories: News
Tags: Doxxers

Tags:  doxxing

Tags:  police

Tags:  social media

Tags:  extortion

Tags:  data breach

Two individuals have been charged with being members of ViLE, a group of doxxers that even impersonated police officers to obtain personal information about their victims.



(Read more...)




The post "ViLE" members posed as police officers and extorted victims appeared first on Malwarebytes Labs.

Posted: March 17, 2023 by

In a press release the U.S. Attorney's Office, Eastern District of New York revealed details about the complaint against two individuals that are charged with wire fraud and conspiracy to commit computer intrusions.

More specifically, the defendants are suspected of extortion with the threat of doxxing. Doxxing, also known as doxing, is the act of publishing personal information about an individual without their consent. This information can include addresses, phone numbers, email addresses, and even financial details.

Allegedly, the defendants threatened to publish or otherwise use personal information about the victims unless they paid to have their information removed from or kept off the website.

The defendants, of which one is still at large, belonged to a group called Vile. Members of ViLE sought to collect victims’ personal information, such as names, physical addresses, telephone numbers, social security numbers, and email addresses. ViLE runs its own website which they use to post that information unless the victim complied with their demands.

As stated by United States Attorney Peace. 

“As alleged, the defendants shamed, intimidated and extorted others online. This Office will not tolerate those who impersonate law enforcement officers and misuse the public safety infrastructure that exists to protect our citizens.”

The second sentence of that statement indicates how the defendants were able to get their hands on the personal information. What the defendants are charged with is that they unlawfully used a police officer’s stolen password to access a restricted database maintained by a federal law enforcement agency. They used the police officer’s credentials to access without authorization a nonpublic, password-protected web portal maintained by a U.S. federal law enforcement agency, whose purpose is to share intelligence from government databases with state and local law enforcement agencies. Said database contains (among other data) detailed, nonpublic records of narcotics and currency seizures, as well as law enforcement intelligence reports. 

The two suspects are also charged with accessing without authorization the email account of a foreign law enforcement officer. They abused this access to defraud social media companies by making purported emergency requests for information about the companies’ users. For example, one of the defendants used an official email account to pose as a Bangladeshi police officer in communication with US-based social media platforms.

The same Bangladeshi police account was used to request data about the user of  an online gaming platform. When caught they threatened to sell the platform’s information on the Dark Web. An associate posed as a US local police officer and sent a forged subpoena to one of the platform’s vendors, seeking registration details about their administrators.  The vendor did not provide the information.

**Data breach**

There are some actions you can take if you are, or suspect you may have been, the victim oif a data breach.

*   Check the vendor's advice. Every breach is different, so check with the vendor to find out what's happened, and follow any specific advice they offer.
*   Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don't use for anything else. Better yet, let a password manager choose one for you.
*   Enable two-factor authentication. Where possible, use a FIDO2 2FA device. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
*   Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify any contacts using a different communication channel.
*   Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

**RELATED ARTICLES**

"ViLE" members posed as police officers and extorted victims

In the spring of 2022, I was sitting in my college apartment studying for an exam when I received a call from an unfamiliar number. Not thinking anything of it, I answered and was stunned to meet a Secret Service agent asking about an unsavory tweet I’d posted about former president George W. Bush four months earlier. 

“When making that tweet,” asked the federal agent on the line, “were you talking about George Bush Sr. or George Bush Jr.?”

My eyes darted between the Detroit Field Office’s list of contacts on its website and my friend in my room, afraid that I’d be indicted on a federal crime at 20 years old. 

“George Bush Jr.,” I responded. “Cause he’s still alive.”

It was unbelievable to me that a federal agent saw my old drunken tweet and considered it important enough to be investigated, much less to find my contact information and call me to confirm whether or not I was a threat. 

Back then, I had an unhealthy relationship with Twitter. I’d hoped to grow an audience on the social media site so I could sell my Substack like my favorite internet micro-celebrities. But drunk one night, after arguing with my roommates about 9/11 and the unjust war in Iraq, I tweeted that George Bush should be dead, and I went to bed. It wasn’t uncommon for me to throw out inflammatory remarks. My roommates, usually more cautious and forward-thinking than I was, advised me to delete it. Ignoring them, I kept it up for reasons like ego and fallacious integrity. Four months later it came back to bite me. 

While my college classmates and I were worried about the federal government interfering in the lives of everyday citizens, it’s not the only area of surveillance I should have been concerned about. Internet service providers and platforms like Twitter and Facebook all regularly moderate their service in ways that can either thrust users into the eyes of law enforcement or keep them safe from surveillance. That’s a distinction that’s often left up to those in power to make. Whether it’s a stupid tweet or a legitimate complaint depends heavily on who’s in charge of making that call.

“Governments in Iran and China are centralized and control service providers, or have very strict rules on who is operating them and how,” says University of Michigan computer science professor Roya Ensafi, founder of Censored Planet. “In a lot of other countries, though, service providers are commercial entities like Comcast and Verizon, so the government has to rule through policy to figure out how to implement censorship. Although it's different, the government always has a good idea of what the ISPs are doing,” she elaborates. 

The US government isn’t usually inclined to release data on its own surveillance activities, but the American Civil Liberties Union, along with other similar organizations, have a mountain of data about the often racist and invasive activities of American intelligence agencies. Plus, social media companies have a long history of cooperating with intelligence agencies in gathering information on their users.

Unfortunately, my thought process wasn’t that complex when I suddenly had to talk to a federal agent on my phone about what I’d posted to Twitter.

“Can I take a second just to verify that you are, in fact, calling me?” I stammered out, recalling that I had a right to verify the agent’s identity–or perhaps call a lawyer before responding with anything that may be incriminating. An investigation by the Secret Service goes through the federal judicial system, after all. I hoped I didn’t need to pay for a fancy-pants federal defense attorney.

“Sure, but if you don’t call me back,  we would have to show up to your address in Ann Arbor,” he replied. 

I called the Chicago Field Office, as the Detroit Field Office was closed that day. “Hi, I’d like to request some information,” I said to the man on the phone. 

“May I ask you why?” he asked. 

What was I supposed to say to this guy? This wasn’t a FOIA request. I swallowed the lump in my throat and nervously capitulated. “I’m currently being investigated, and I wanted to verify that this agent works at the Detroit Field Office from this number before I give any information.”

The investigator checked. This agent did indeed work for the Secret Service. I called him back and was met with more dejected quasi-threats. He listed my father’s name and occupation, my (deceased) mother’s name and occupation, and my sister’s age. He dropped the first four numbers of my social security number before I told him I understood he was legit. As the debacle continued,  I realized I’d accrued the equivalent of a seditious parking ticket.

“Alright, I’ve got no more questions for you. If you pull anything like that again, though, we will not hesitate to show up armed at your door. Can I call a friend to corroborate the information you’ve given me?” the agent asked. I obliged. I thought to myself that it was probably better not to let this thing escalate.

Returning from my exam later that day, I finally told my roommates what had transpired. _They_ were surprised that all of my posturing and bloviating about the “Feds” actually came to bite me. _I_ was embarrassed that I actually ended up in this situation. 

When I told my father what happened, he was hysterical.“Is this going to cost you a job?” he finally asked. It was a good question. I wasn’t sure of the answer, and even though I hoped the whole thing was over, I had no way to know if I were on some kind of watch list going forward. 

So was there any real way to monitor my digital footprint so I wouldn’t be targeted, or to keep myself safe in the future so this wouldn’t happen again?  When I asked Ensafi, she brought up the General Data Protection Regulation in the EU, and California’s Consumer Privacy Act. However, both laws aim to make individuals aware of what commercial entities can and can’t do with your data, not what they can and can’t hand over to law enforcement or government bodies.

“I don’t know whether the day-to-day lives of Americans are affected by surveillance, but I can assure you that one thing we found in our VPN study was that vast numbers of users in the United States using VPNs think that they’re protecting their privacy and security from service providers,” Ensafi says. The presence of internet influencers advertising VPN software has long made me wary of how effective they actually were. Ensafi agrees. 

“Years ago my students and I decided to look into the ecosystem through systematic investigation on how weak implementations are, how weak VPN services are, if they’re leaking DNS data or implementing a kill switch properly or not, as well as understanding users’ perspective better as to why they use VPN services. Do they know what a VPN actually provides? Where do they find VPNs from? They think VPNs are a tool to save the day, but that isn’t always the case.”

I know for a fact that a VPN probably wouldn’t have helped in my case. I have identifiable information publicly available, and a link to some other stuff in my Twitter profile and bio. But Twitter does hand over user information—usually at the behest of a subpoena, but other times whenever it chooses to. Take for example, the case of @PRGuy17. Twitter was ordered to hand over the user’s personal information by a court in Australia during a defamation case. That’s not even considering any actual data-sharing agreements the platform—or other platforms—may have for their own purposes, and who knows what the third parties do with your information. 

VPNs are helpful, but they aren’t especially useful if you find yourself in my situation. One easy solution, of course, is to simply be careful what you say publicly, regardless of whether you’re identifiable or not. Another simple internet hygiene tip I recommend is to avoid suspicious users. I’m not joking. The FBI spends millions of dollars on user surveillance of social media. If it seems like a user is trying to coerce information out of you, especially that of the illicit kind, don’t comply. Don’t click suspicious links, either. These are viruses most of the time, but it’s not just scammers and con artists that set up fake websites to “honeypot” users and grab their IP addresses and other personal information. I don’t expect any of you to be criminals, but you can’t be too careful. If you absolutely must, use secure and encrypted messaging clients like Signal.

I still post opinionated takes on social media, and I try to use sarcasm and satire to comment on government surveillance and conspiracy theories. But I stopped joking about the demise of presidents. Do I know exactly how to avoid this in the future, or how to put a stop to it entirely? Not entirely. It’s hard to offer tips when your words are stuck between private companies and the global surveillance complex. I think I did the right thing by cooperating and trying to minimize the potential fallout from a drunken tweet. But what if the agent—or anyone who potentially reported my tweet—had more dirt on me, or had some kind of personal or political vendetta? 

What I can say for sure is that it’s always good to be careful. I know now to watch what I say and only say things I truly mean. So, above all else, exercise caution. And remember that when you speak on the internet, you never know who’s listening.

I Got Investigated by the Secret Service. Here's How to Not Be Me

In the Linux kernel before 6.1.3, fs/ntfs3/inode.c does not validate the attribute name offset. An unhandled page fault may occur.

CVE-2022-48424

Plus: A SpaceX supplier ransom, critical vulnerabilities in dozens of Android phones, and more.

What’s more controversial than a popular surveillance camera maker that has an uncomfortably cozy relationship with American police? When ransomware hackers claim to have breached that company—Amazon-owned camera maker Ring—stolen its data, and Ring responds by denying the breach.

But we’ll get to that.

Five years ago, police in the Netherlands caught members of Russia’s GRU military intelligence red-handed as they tried to hack the Organization for the Prohibition of Chemical Weapons in The Hague. The team had parked a rental car outside the organization’s building and hid a Wi-Fi snooping antenna in its trunk. Within the GRU group was Evgenii Serebriakov, who was caught with further Wi-Fi hacking tools in his backpack.

Since then, surprisingly, Serebriakov has only risen in status. This week, Western intelligence sources told WIRED that Serebriakov is now the new leader of one of the world’s most aggressive hacking units. Serebriakov took over Sandworm, which is responsible for some of the worst cyberattacks in history, in the spring of 2022. His elevation to the senior role, experts say, shows how small the pool of skilled nation-state hackers is likely to be and demonstrates Serebriakov’s value to Russia.

Nowhere on the internet is free from threats—and that includes LinkedIn. This week we looked at how spies, scammers, and hackers from Iran, North Korea, Russia, and China are using the professional network to scout and approach intelligence targets. In addition, LinkedIn is plagued with thousands of suspicious accounts; it removed hundreds from WIRED’s profile when we reported them.

The Western clampdown on TikTok is continuing—this week the UK joined the US, Belgium, Canada, and the European Union in banning the social media app from being used on government devices. But in the US, Senator Mark Warner is trying to pass legislation, in the guise of the bipartisan Restrict Act, that will allow officials to ban apps and services from six “hostile” nations: China, Russia, North Korea, Iran, Cuba, and Venezuela. We sat down with Warner and asked about the plans.

A WIRED analysis of “cybercrime” cases across the US shows how vague and wide-ranging the term can be. Without a clear and universal definition of cybercrime, human rights and civil liberties issues may expand globally. Speaking of criminals, scammers are getting better at using voice deepfakes to con people. And ransomware gangs are sinking to a new deplorable low. As more and more companies and organizations refuse to pay ransoms, criminal gangs are increasingly using extortion as leverage: they are now releasing photos stolen from cancer patients and sensitive student records. 

But wait, there's more. Each week, we round up the security news we didn’t cover in-depth ourselves. Click the headlines to read the full stories, and stay safe out there.

ALPHV, a prolific group of hackers who extort companies with ransomware and leak their stolen data, said earlier this week that it had breached security camera maker Ring and threatened to dump the company’s data online if it doesn’t pay. “There’s always an option to let us leak your data …” the hackers wrote in a message to Ring on their leak site. Ring has so far responded with a denial, telling Vice’s Motherboard, “We currently have no indications of a ransomware event,” but it says it’s aware of a third-party vendor that has experienced one. That vendor, Ring says, doesn’t have access to any customer records. 

Meanwhile, ALPHV, which has previously used its BlackCat ransomware to target companies like Bandai Namco, Swissport, and hospital firm Lehigh Valley Health Network, stands by its claim to have breached Ring itself, not a third-party vendor. A member of the malware research group VX-Underground shared with WIRED screenshots of a conversation with an ALPHV representative who says that it’s still in “negotiations” with Ring.

Amid the ongoing ransomware epidemic, it’s no surprise that Ring isn’t alone in facing extortion problems. So too is Maximum Industries, a supplier of rocket parts for Elon Musk’s SpaceX. The hackers, a well-known ransomware gang known as LockBit, taunted Musk on their website, threatening to sell the stolen information to the highest bidder if Maximum doesn’t pay by their March 20 deadline. “I would say we were lucky if Space-X contractors were more talkative. But I think this material will find its buyer as soon as possible,” the hackers wrote. “Elon Musk we will help you sell your drawings to other manufacturers.”

Google’s Project Zero, its security research team devoted to finding unknown vulnerabilities in widely used tech products, warned Thursday that it had discovered severe hackable flaws in Samsung chips used in dozens of Android devices. In total, the researchers found 18 distinct vulnerabilities in Samsung’s Exynos modems for smartphones, but they say that four of them are particularly critical and would allow a hacker to “remotely compromise a phone at the baseband level with no user interaction, and require only that the attacker know the victim’s phone number.” Project Zero only rarely publishes information on unpatched vulnerabilities. But it says that it gave Samsung 90 days to fix the flaws, and it hasn’t yet. A bit of public shaming, perhaps, might spur Samsung to move faster to protect Google’s users from an insidious form of attack.

Since 2017, the cryptocurrency “mixer” service ChipMixer quietly grew into a powerhouse of cryptocurrency money laundering, taking in users’ coins, mixing them with others and then sending them back to obscure the money’s trail across blockchains. In the process, the Department of Justice says it laundered $3 billion worth of criminal funds, including ransomware payments, North Korean hackers’ stolen loot, and even profits from the sale of child sexual exploitation materials. Now, in a bust carried out by multiple European law enforcement agencies and coordinated by Europol as well as the FBI and DHS, ChipMixer has been taken offline and its infrastructure seized. The site’s alleged creator, 49-year-old Vietnamese national Minh Quốc Nguyễn, remains out of reach: He’s been charged with money laundering only in absentia. 

But the most intriguing result of the case may have more to do with the meltdown of the now notorious cryptocurrency exchange FTX: A portion of FTX’s funds that were stolen in the midst of its bankruptcy proceedings in November were funneled into ChipMixer. Seizing the servers of that mixing service may well foil the FTX thieves’ attempt to evade tracing and help solve one of the central mysteries of that high-profile heist.

Only in the cryptocurrency world, where thefts of more than half a billion dollars now occur multiple times a year, does the stealing of $200 million merit the lowest spot on a news roundup. Early this week, the distributed trading protocol Euler Finance lost nearly $200 million in cryptocurrency to hackers who found a vulnerability in its code. At first, Euler, the company behind that protocol, offered to let the hackers keep $20 million if they returned the rest of the funds. But after that offer was ignored—in fact, the hackers have sent the funds to the Tornado Cash mixing service in the hopes of covering their tracks—the firm has announced a $1 million bounty on the hackers’ heads.

Security News This Week: Ring Is in a Standoff With Hackers

The zero-day exploitation of a now-patched medium-security flaw in the Fortinet FortiOS operating system has been linked to a suspected Chinese hacking group.
Threat intelligence firm Mandiant, which made the attribution, said the activity cluster is part of a broader campaign designed to deploy backdoors onto Fortinet and VMware solutions and maintain persistent access to victim environments.

Network Security / Cyber Espionage

The zero-day exploitation of a now-patched medium-severity security flaw in the Fortinet FortiOS operating system has been linked to a suspected Chinese hacking group.

Threat intelligence firm Mandiant, which made the attribution, said the activity cluster is part of a broader campaign designed to deploy backdoors onto Fortinet and VMware solutions and maintain persistent access to victim environments.

The Google-owned threat intelligence and incident response firm is tracking the malicious operation under its uncategorized moniker **UNC3886**, a China-nexus threat actor.

"UNC3886 is an advanced cyber espionage group with unique capabilities in how they operate on-network as well as the tools they utilize in their campaigns," Mandiant researchers said in a technical analysis.

"UNC3886 has been observed targeting firewall and virtualization technologies which lack EDR support. Their ability to manipulate firewall firmware and exploit a zero-day indicates they have curated a deeper-level of understanding of such technologies."

It's worth noting that the adversary was previously tied to another intrusion set targeting VMware ESXi and Linux vCenter servers as part of a hyperjacking campaign designed to drop backdoors such as VIRTUALPITA and VIRTUALPIE.

The latest disclosure from Mandiant comes as Fortinet revealed that government entities and large organizations were victimized by an unidentified threat actor by leveraging a zero-day bug in Fortinet FortiOS software to result in data loss and OS and file corruption.

The vulnerability, tracked as CVE-2022-41328 (CVSS score: 6.5), concerns a path traversal bug in FortiOS that could lead to arbitrary code execution. It was patched by Fortinet on March 7, 2023.

According to Mandiant, the attacks mounted by UNC3886 targeted Fortinet's FortiGate, FortiManager, and FortiAnalyzer appliances to deploy two different implants such as THINCRUST and CASTLETAP. This, in turn, was made possible owing to the fact that the FortiManager device was exposed to the internet.

THINCRUST is a Python backdoor capable of executing arbitrary commands as well as reading and writing from and to files on disk.

The persistence afforded by THINCRUST is subsequently leveraged to deliver FortiManager scripts that weaponize the FortiOS path traversal flaw to overwrite legitimate files and modify firmware images.

This includes a newly added payload called "/bin/fgfm" (referred to as CASTLETAP) that beacons out to an actor-controlled server so as to accept incoming instructions that allow it to run commands, fetch payloads, and exfiltrate data from the compromised host.

"Once CASTLETAP was deployed to the FortiGate firewalls, the threat actor connected to ESXi and vCenter machines," the researchers explained. "The threat actor deployed VIRTUALPITA and VIRTUALPIE to establish persistence, allowing for continued access to the hypervisors and the guest machines."

Alternatively, on FortiManager devices that implement internet access restrictions, the threat actor is said to have pivoted from a FortiGate firewall compromised with CASTLETAP to drop a reverse shell backdoor named REPTILE ("/bin/klogd") on the network management system to regain access.

WEBINAR

Discover the Hidden Dangers of Third-Party SaaS Apps

Are you aware of the risks associated with third-party app access to your company's SaaS apps? Join our webinar to learn about the types of permissions being granted and how to minimize risk.

RESERVE YOUR SEAT

Also employed by UNC3886 at this stage is a utility dubbed TABLEFLIP, a network traffic redirection software to connect directly to the FortiManager device regardless of the access-control list (ACL) rules put in place.

This is far from the first time Chinese adversarial collectives have targeted networking equipment to distribute bespoke malware, with recent attacks taking advantage of other vulnerabilities in Fortinet and SonicWall devices.

The revelation also comes as threat actors are developing and deploying exploits faster than ever before, with as many as 28 vulnerabilities exploited within seven days of public disclosure — a 12% rise over 2021 and an 87% rise over 2020, according to Rapid7.

This is also significant, not least because China-aligned hacking crews have become "particularly proficient" at exploiting zero-day vulnerabilities and deploying custom malware to steal user credentials and maintain long-term access to target networks.

"The activity \[...\] is further evidence that advanced cyber espionage threat actors are taking advantage of any technology available to persist and traverse a target environment, especially those technologies that do not support EDR solutions," Mandiant said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Chinese Hackers Exploit Fortinet Zero-Day Flaw for Cyber Espionage Attack

U.S. government agencies have released a joint cybersecurity advisory detailing the indicators of compromise (IoCs) and tactics, techniques, and procedures (TTPs) associated with the notorious LockBit 3.0 ransomware.
"The LockBit 3.0 ransomware operations function as a Ransomware-as-a-Service (RaaS) model and is a continuation of previous versions of the ransomware, LockBit 2.0, and LockBit,"

U.S. government agencies have released a joint cybersecurity advisory detailing the indicators of compromise (IoCs) and tactics, techniques, and procedures (TTPs) associated with the notorious LockBit 3.0 ransomware.

"The LockBit 3.0 ransomware operations function as a Ransomware-as-a-Service (RaaS) model and is a continuation of previous versions of the ransomware, LockBit 2.0, and LockBit," the authorities said.

The alert comes courtesy of the U.S. Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing & Analysis Center (MS-ISAC).

Since emerging in late 2019, the LockBit actors have invested significant technical efforts to develop and fine-tune its malware, issuing two major updates — LockBit 2.0, released in mid-2021, and LockBit 3.0, released in June 2022. The two versions are also known as LockBit Red and LockBit Black, respectively.

"LockBit 3.0 accepts additional arguments for specific operations in lateral movement and rebooting into Safe Mode," according to the alert. "If a LockBit affiliate does not have access to passwordless LockBit 3.0 ransomware, then a password argument is mandatory during the execution of the ransomware."

The ransomware is also designed to infect only those machines whose language settings do not overlap with those specified in an exclusion list, which includes Romanian (Moldova), Arabic (Syria), and Tatar (Russia).

Initial access to victim networks is obtained via remote desktop protocol (RDP) exploitation, drive-by compromise, phishing campaigns, abuse of valid accounts, and weaponizing of public-facing applications.

Upon finding a successful ingress point, the malware takes steps to establish persistence, escalate privileges, carry out lateral movement, and purge log files, files in the Windows Recycle Bin folder, and shadow copies, before initiating the encryption routine.

"LockBit affiliates have been observed using various freeware and open source tools during their intrusions," the agencies said. "These tools are used for a range of activities such as network reconnaissance, remote access and tunneling, credential dumping, and file exfiltration."

One defining characteristic of the attacks is the use of a custom exfiltration tool referred to as StealBit, which the LockBit group provides to affiliates for double extortion purposes.

The ransomware gang, notably, suffered a huge blow in late September 2022 when a disgruntled LockBit developer released the builder code for LockBit 3.0, raising concerns that other criminal actors could take advantage of the situation and spawn their own variants.

In November, the U.S. Department of Justice reported that the LockBit ransomware strain has been used against at least 1,000 victims worldwide, netting the operation over $100 million in illicit profits.

Industrial cybersecurity firm Dragos, earlier this year, revealed that LockBit 3.0 was responsible for 21% of 189 ransomware attacks detected against critical infrastructure in Q4 2022, accounting for 40 incidents. A majority of those attacks impacted food and beverage and manufacturing sectors.

The FBI's Internet Crime Complaint Center (IC3), in its latest Internet Crime Report, listed LockBit (149), BlackCat (114), and Hive (87) as the top three ransomware variants victimizing critical infrastructure in 2022.

WEBINAR

Discover the Hidden Dangers of Third-Party SaaS Apps

Are you aware of the risks associated with third-party app access to your company's SaaS apps? Join our webinar to learn about the types of permissions being granted and how to minimize risk.

RESERVE YOUR SEAT

The advisory comes as the BianLian ransomware group has shifted its focus from encrypting its victims' files to pure data-theft extortion attacks, months after cybersecurity company Avast released a free decryptor in January 2023.

In a related development, Kaspersky has published a free decryptor to help victims who have had their data locked down by a version of ransomware based on the Conti source code that leaked after Russia's invasion of Ukraine last year led to internal friction among the core members.

"Given the sophistication of the LockBit 3.0 and Conti ransomware variants, it is easy to forget that people are running these criminal enterprises," Intel 471 noted last year. "And, as with legitimate organizations, it only takes one malcontent to unravel or disrupt a complex operation."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

LockBit 3.0 Ransomware: Inside the Cyberthreat That's Costing Millions

CISOs can and should push back when they're presented with budget costs that affect the business. Here's how.

Today's enterprise security executives face situations that could really hurt the company's bottom line. Security teams are trying to modernize security operations in an increasingly porous network environment with ever more sophisticated threats. There are also economic pressures from layoffs, budget cuts, and restructuring.

Even worse, CFOs have heard from CISOs the doom-and-gloom predictions of the potential fiscal disaster of data breaches so often that it's no longer resonating with them.

The doomer scenario is not hypothetical — global compliance requirements and privacy regulations drive the cost of a breach even higher than just the technical costs. However, CFOs and other C-level executives have heard these warnings so often now that it's just background information that doesn't drive their decision making.

Is there a more effective way to help the CFO understand why security needs to be far better funded? Yes: Present the CFO with a shared-risk scenario.

**Setting Protection Priorities**

Allan Alford, who was a CISO in various industries including technology, communications, and business services before morphing into a CISO consultant, says CISOs should use a different approach to describe cybersecurity issues to the CFO. They should begin by asking the CFO to identify the six most important strategic elements of the business — possibly including the supply chain, manufacturing operations, sensitive future product plans, etc. — then detail their plans for protecting each of those critical areas, Alford says.

The CISO can present the situation to the CFO in the following manner: "Thanks for sharing those priorities. Now, you are saying we need to cut the security budget by 37%. Given the state of the economy in our sectors, that is completely understandable. To make the cuts possible, can you tell me which of these six areas I should stop protecting? We will also need to bring in the line-of-business executive so that you can explain how these changes will impact that area."

Historically, CISOs, CSOs, CROs, and other security-adjacent executives have been good soldiers, accepting the CFO-ordered cuts and deciding where changes have to be made, Alford says. This conflicts with the CISO's job: to protect the company — including all intellectual property and all assets.

If the CFO decides to cut back security funding, they need to work with the COO, the CEO, the board, and other senior executives to decide which operations they can afford to not protect. It should not be left to the CISO to make those calls or defend the choices.

In fairness, the decision is rarely black-and-white. But if the CISO positions the budget decisions in this manner, the CFO will see the actual business impact the reductions would have. When the CFO is forced to decide where the cuts will happen and to choose which top-priority division is left undefended, the conversation shifts, Alford says. The CISO can say to the CFO, "We'll jointly figure out what risks are tolerable, but make no mistake: A 37% cut will put various units at extreme risk. Can the business afford that deep a cut in our defenses?"

The CISO can present cost-effective alternatives to reduce security defenses, rather than eliminating them entirely. Now there is the possibility of negotiating a smaller budget cut. Maybe that 37% cut becomes a 23% cut.

**Negotiating as a Group**

The conversation shouldn't begin and end with the CFO, says Daniel Wallance, an associate partner with McKinsey. It should involve the board's risk committee, the CEO, the COO, and other colleagues who have a role in security spending, such as the CIO and the CRO.

"There is also spend coming from risk management \[and\] compliance on top of IT. I would engage those functions, as they have shared \[security\] responsibility and they may actually have dedicated resources," Wallance says. "I need this to _not_ be a one-on-one conversation. I want to make it a group."

These conversations with other security executives should happen before _and_ after the CFO meeting, but not during.

The CISO needs to meet with the other security players before meeting with the CFO to learn what overlaps and redundancies currently exist. The CISO also needs to know how much budget flexibility those other executives are willing to offer. That will be crucial information to have while working with the CFO. After meeting with the CFO, the CISO can go back to the other executives and see what they can negotiate as a group.

The actual CISO-CFO meeting should be just the two executives, to avoid making the CFO feel ganged up on. The discussion should be as friendly as possible to allow for reasonable compromises.

Involving the board's risk committee is critical, as it is ultimately the board's role — working with the CEO — to dictate the company's risk tolerance. If the CFO's requested budget reductions conflict with that risk tolerance, the board needs to know about it.

"The CISO should be meeting with the risk committee regularly," Wallance says. "The business may not understand the implications of the budget cut. The CFO is not the only person at issue here."

**Adapting to Market Conditions**

Larger trends in the economy also affect CISO budgetary needs.

There is a realistic existential threat to cyber insurance, the net that CFOs have relied on for more than 20 years. Lloyds of London said that it would stop covering the losses from state actor attacks, which is problematic given how difficult it is to prove an attack's origin and who funded it. Insurance giant Zurich warned it might abandon cyber insurance entirely. And an Ohio Supreme Court decision raised the prospect of other cyber insurance limitations. Those changes could sharply increase the pressure on the CFO to better fund security, given that the enterprise will now be on the hook for the full amount of damages.

A complicating factor is the much-ballyhooed cybersecurity talent shortage. Whether the gap is as big as some say, it's true that the cost of talent today is higher than what most budgets allow. So, yes, you will have difficulty finding qualified people, but increase the salary enough and, poof — no more talent shortage.

Richard Haag, the VP for compliance services at consulting firm Intersec Worldwide Inc., maintained that the difficulty in acquiring sufficiently experienced talent is a powerful argument in those CFO discussions.

"\[I\]n security, labor is about the only thing that can possibly be cut. You can't just swap out firewalls. These agreements are locked in," Haag says. "You need to say 'I can barely protect your top strategic areas now. With the cuts you want, I simply won't be able to defend your top targets and certainly not your not-so-top targets. I need more people, certainly not fewer people.'"

Alford also suggests the CISO point out how they negotiate lower vendor costs. Document it and share it with the CFO to demonstrate that the budget is being spent wisely.

"Demonstrate your efficiencies by driving vendor discounts as low as you can get them to go. CFOs want to know the money is being well spent, and 'we got a heck of a deal' does that well," Alford says.

Finally, the CISO can also make the case for better security delivering more revenue. Does higher security investment make prospective customers more comfortable? Is lack of security making some existing customers leave? For example, if a financial institution chooses to reimburse customers in all fraud situations — rather than what most FIs do, which is to only reimburse in some situations — it could boast that its customers are better protected against fraud, prompting customers to leave competitors. That move would justify higher cybersecurity spend because of the greater acceptance of fraud costs.

"If you can shorten that sales cycle and prove that security gained more sales, it can be highly persuasive to CFOs: 'Today, three customers walked away, but tomorrow none will,'" Alford says.

Tag

#intel