Registered Agents Inc. has for years allowed businesses to register under a cloak of anonymity. A WIRED investigation reveals that its secretive founder has taken the practice to an extreme.

Inside a drab one-story office building in Post Falls, Idaho, a little-known American company has built the machinery that enables hundreds of thousands of businesses to operate in near-total secrecy.

The company, Registered Agents Inc., is a one-stop shop for people seeking to incorporate a business in any US state, often in those with advantageous tax policies, while obscuring their identities. According to five former employees of Registered Agents Inc. or its subsidiaries, the company routinely incorporates thousands of businesses on behalf of its customers using fake personas. Former Registered Agents Inc. employees say that the company’s widespread use of personas is an outgrowth of its founder’s obsession with privacy and a desire to push the boundaries of incorporation laws.

The registered agent industry, which incorporates businesses and acts as a point of contact for legal notices, is already effective at masking the identity of who owns a company. Registered agents have many legitimate uses, and states often require that a company have a registered agent. In some instances, however, these services have benefited “oligarchs, criminals, and online scammers,” according to a 2022 investigation by _The Washington Post_ and the International Consortium of Investigative Journalists. Experts say a lack of adequate federal and state regulations of registered agents helps to make the United States a hotbed for money-laundering and other shady business dealings.

In a typical scenario, a registered agent would incorporate a company on behalf of a customer. An employee of the registered agent company would list their name on the incorporation documents, sometimes providing the company’s email address and office as contact information. That process provides business owners one layer of secrecy, preventing anyone who looks at state records from determining the real owner of a company.

Registered Agents Inc., according to the former employees, routinely goes one step further, incorporating companies in the names of fictional personas created by the company’s founder, Dan Keen. It’s unclear what benefit Registered Agents Inc. or its customers receive when a company is incorporated by a fake identity.

Around the country, at least 1,463 companies incorporated by Registered Agents Inc. list a woman named Riley Park as an organizer or agent, according to a WIRED analysis of publicly available incorporation documents. But Riley Park isn’t a real person, the former employees say. She’s one of multiple fake personas used by Registered Agents Inc. Former employees identified at least 10 fake personas used by the company, including David Roberts, Drake Forester, and Morgan Noble.

Using business records made public by OpenCorporates, a website that shares and standardizes information sourced from business registries around the world, WIRED found 36,257 business listing company officers who share names that former employees say are fake. At least 3,735 of these businesses’ incorporation paperwork references Registered Agents Inc., either explicitly in the paperwork or by using an address known to former employees as belonging to Registered Agents Inc.

WIRED’s analysis found that these companies are registered in 20 different states and appear to provide services ranging from law enforcement training to landscaping. Many of these companies with officers using an alleged fake name were registered to addresses known by sources to belong to Registered Agents Inc. For example, six allegedly fake names were listed as officers for 887 of businesses registered to the same address in Sheridan, Wyoming—an office of Registered Agents Inc.

This is likely an undercount. WIRED looked specifically for company records indicating that Registered Agents Inc. incorporated the company alongside at least one of a dozen false names provided by sources. We additionally looked for companies registered by these same false names associated with addresses previously utilized by Registered Agents Inc. for incorporating thousands of other companies. Sources believe the true number is likely much higher.

Registered Agents Inc. declined to fully answer WIRED’s detailed set of questions about its business practices.

“To put it plainly, your assertions in this question set are outdated and patently wrong about Registered Agents Inc.,” the company said in a statement. “Therefore, at this time Registered Agents Inc. will provide no comment as it is apparent that you, Wired and its editors attempt \[to\] fit a pre-arranged narrative through publishing false facts and other blatant lies.”

Registered Agents Inc. says that it has offices in every state in the US and in Washington, DC, allowing it to offer its customers the ability to register a business anywhere. Many of those offices are small outfits located near state government offices, so its employees can easily submit paperwork. (The Sheridan office is located just a block away from city hall.)

Registered Agents Inc. has expanded beyond incorporation services, building custom software to manage entire businesses. Last year, it acquired Epik, a domain registrar and web hosting company that had previously catered to far-right extremists.

Much of the company’s high-level operations and development take place in the Pacific Northwest, including Spokane, Washington, and Post Falls, Idaho. The company has two major subsidiaries: Two Barrels LLC, which develops software, and Corporate Tools LLC, which enables its customers to manage the filings of multiple businesses.

“Somebody will hire \[Registered Agents Inc.\] to create an LLC, and then \[Registered Agents Inc. will\] sign all that paperwork with fake identities and submit it to the Secretary of State,” says Mikhail Slyusarev, who worked as a senior software engineer at the company for more than six years. “There’s no oversight, you're not really answering to anybody, and you’re just making shit up.”

On July 29, 2015, Registered Agents Inc. updated the name listed on its own incorporation documents it had filed with the Wyoming secretary of state. While Keen had previously signed as president and registered agent of the company, the new registered agent for the company was a man named Bill Havre.

Registered Agent Inc.’s website featured a vivid yarn detailing Havre’s life story, according to an archived version of the site from December 2021. Havre grew up on a small ranch in Wyoming and studied medicine at the University of California, Berkeley in the early 1970s, the bio read. But shortly after enrolling in classes, Havre returned home to Wyoming to tend to a family emergency, eventually starting his own businesses in the state.

“After gaining some insight into the nature of starting a business, Mr. Havre was intrigued by the business entity formation process, particularly concerned by what at the time seemed exorbitant fees paid to attorneys to complete and file corporate formation documents,” the website said.

Havre was once listed on Registered Agent Inc.’s website as the company’s president and executive director. Havre has helped register 491 companies with Registered Agents Inc., WIRED found. He’s also an entirely fabricated persona, five former employees say, an invention of Dan Keen.

That 2015 document is the earliest recorded instance of the company using fake names identified by WIRED. Havre’s name was removed from the company’s website in 2022 following inquiries from _The Washington Post_ and the International Consortium of Investigative Journalists.

The Wyoming incorporation paperwork viewed by WIRED includes the full text of the state law against filing a false document, reminding registrants that doing so may be a felony punishable by up to two years in prison and a $2,000 fine. Former employees say that customers of Registered Agents Inc. typically aren’t aware that a fake name is used to sign their company’s incorporation documents.

Provided a copy of the Wyoming incorporation document, experts say using a fake person would likely violate the law. “This does look like it requires a real person to sign—Riley Park would seemingly be in violation,” says Gary Kalman, the executive director of Transparency International US, an anti-corruption group.

Former Registered Agents Inc. employees allege that Keen justified using fake names by saying it was a way to protect employees from being drawn into legal battles and being forced to testify about the company’s customers.

The laws for incorporating companies in America are decided at the state level, allowing a prospective business owner to shop around based on tax advantages, anonymity rules, and other considerations. Many state offices don’t fully investigate filings to determine if the signatories are legitimate, former employees of Registered Agents Inc. say.

“There is no federal requirement, there is no state-level requirement that these registered agents have any code of ethics. There’s no anything,” says Sarah Beth Felix, an expert on financial transparency. “For being essential gatekeepers to legitimize businesses, they’re grossly unregulated.”

Former employees say that the registered agents industry benefits from relaxed incorporation laws in states like Wyoming and Montana, where registering a completely anonymous company is as simple as paying a registered agent service as little as $200. That makes the US an appealing location for illicit financial activity even before the added layer of opacity by a registered agent.

According to two former employees, the company doesn’t screen to see if its customers are real people, or even if their email addresses are legitimate. Former employees say they raised concerns about not knowing the true identity of all of their customers to company leadership, but were dismissed. Experts and former employees said that verifying the identity of its customers is often not required for registered agents.

“You could say your name was Billy Bob and your email was BillyBob123, and we would have created an LLC for you,” the former software developer says.

“Dan takes it almost to an extreme. He tries to maximize what the laws allow in each state,” says Don Evans, who worked in a chief technical officer role at the company. “If people find ways to use his services that are in the gray area, he would turn a cheek to it.”

Since 2008, Dan Keen has grown his business from a small company serving customers in the Pacific Northwest to a major national player in what’s known as the corporate formation industry. The company and its competitors offer the ability to incorporate a business in the state of a customer’s choosing and receive mail and legal notices.

Keen started the company after running a tree trimming and landscaping business. Former employees said Keen worked tirelessly to build the business, often sending emails at all hours of the night.

“Dan put in a lot of effort, he worked nonstop,” says Matt MacKenzie, who worked as a legal compliance specialist for more than 11 years and was one of the company’s earliest employees.

When the company was a small upstart, Keen regularly listed his name on the formation documents of the company and its various subsidiaries in states across America. “It wasn't until down the road a couple years later, where he started wanting to use full-on fake names and take his name off all the corporate paperwork for Registered Agents Inc.,” MacKenzie says.

Keen is described by former employees as a driven but eccentric businessman who is prone to micromanagement and sudden shifts in mood. Keen dresses modestly, former employees say, wearing shorts and flannel shirts, and is an avid skier and outdoorsman.

Keen often took a passive aggressive approach with his staff, according to six former employees. Two recounted Keen begrudgingly offering health care plans to employees after being told it was required by the Affordable Care Act, allegedly telling his staff they were “whiners and complainers” for asking for it.

Multiple former employees described Keen as “inappropriate,” saying he often made comments about employees' physical appearance. Two former employees described him as making misogynistic statements, which allegedly included making sexual comments about women and frequently questioning their ability to perform their job.

Several former employees questioned the high-security nature of the office, which they say was filled with security cameras and required them to lock their cell phones in boxes. Slyusarev, Registered Agents Inc.’s former senior software engineer, says the phone system, which he says he installed, was capable of surreptitiously recording employee phone calls.

Former employees say that Keen chafed at government regulations and exercised complete control over the company and its operations. Keen has no website or social media profiles and doesn't give interviews about his business.

“He thinks people are out to get him, or out to get the company,” Evans, the former senior employee, claims.

Details about its inner workings, including the ownership and management structure, are concealed from employees, who say they were discouraged from discussing it at the office. And the practice of using fake personas extends even to Registered Agents Inc.’s own workers.

When Don Evans began interviewing at Registered Agents Inc., he recalled first speaking over LinkedIn with Diane Brunner, who identified herself as a recruiter at the company. When he arrived at the office for an interview, he asked to speak with Brunner and was told nobody by that name works at the company.

Jack Stephenson, who claims to be a vice president and client relations director at Registered Agents Inc. on LinkedIn, is another fake persona, employees say. Stephenson frequently comments on the registered agents industry on LinkedIn. He lists a Bachelor of Business Administration from Utah State University on his profile, but an official from the university told WIRED they couldn’t find any records pertaining to Jack Stephenson.

Inside Registered Agents Inc., the Shadowy Firm Pushing the Limits of Business Privacy

Ubuntu Security Notice 6653-4 - It was discovered that a race condition existed in the ATM subsystem of the Linux kernel, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service or possibly execute arbitrary code. It was discovered that a race condition existed in the AppleTalk networking subsystem of the Linux kernel, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service or possibly execute arbitrary code.

    ==========================================================================Ubuntu Security Notice USN-6653-4March 04, 2024linux-gke vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 22.04 LTSSummary:Several security issues were fixed in the Linux kernel.Software Description:- linux-gke: Linux kernel for Google Container Engine (GKE) systemsDetails:It was discovered that a race condition existed in the ATM (AsynchronousTransfer Mode) subsystem of the Linux kernel, leading to a use-after-freevulnerability. A local attacker could use this to cause a denial of service(system crash) or possibly execute arbitrary code. (CVE-2023-51780)It was discovered that a race condition existed in the AppleTalk networkingsubsystem of the Linux kernel, leading to a use-after-free vulnerability. Alocal attacker could use this to cause a denial of service (system crash)or possibly execute arbitrary code. (CVE-2023-51781)Zhenghan Wang discovered that the generic ID allocator implementation inthe Linux kernel did not properly check for null bitmap when releasing IDs.A local attacker could use this to cause a denial of service (systemcrash). (CVE-2023-6915)Robert Morris discovered that the CIFS network file system implementationin the Linux kernel did not properly validate certain server commandsfields, leading to an out-of-bounds read vulnerability. An attacker coulduse this to cause a denial of service (system crash) or possibly exposesensitive information. (CVE-2024-0565)Jann Horn discovered that the TLS subsystem in the Linux kernel did notproperly handle spliced messages, leading to an out-of-bounds writevulnerability. A local attacker could use this to cause a denial of service(system crash) or possibly execute arbitrary code. (CVE-2024-0646)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 22.04 LTS:   linux-image-5.15.0-1051-gke     5.15.0-1051.56   linux-image-gke                 5.15.0.1051.50   linux-image-gke-5.15            5.15.0.1051.50After a standard system update you need to reboot your computer to makeall the necessary changes.ATTENTION: Due to an unavoidable ABI change the kernel updates havebeen given a new version number, which requires you to recompile andreinstall all third party kernel modules you might have installed.Unless you manually uninstalled the standard kernel metapackages(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,linux-powerpc), a standard system upgrade will automatically performthis as well.References:   https://ubuntu.com/security/notices/USN-6653-4   https://ubuntu.com/security/notices/USN-6653-1   CVE-2023-51780, CVE-2023-51781, CVE-2023-6915, CVE-2024-0565,   CVE-2024-0646Package Information:   https://launchpad.net/ubuntu/+source/linux-gke/5.15.0-1051.56

Ubuntu Security Notice USN-6653-4

Debian Linux Security Advisory 5635-1 - Aviv Keller discovered that the frames.html file generated by YARD, a documentation generation tool for the Ruby programming language, was vulnerable to cross-site scripting.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5635-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffMarch 04, 2024                        https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : yardCVE ID         : CVE-2024-27285Aviv Keller discovered that the frames.html file generated by YARD, adocumentation generation tool for the Ruby programming language, wasvulnerable to cross-site scripting.For the oldstable distribution (bullseye), this problem has been fixedin version 0.9.24-1+deb11u1.For the stable distribution (bookworm), this problem has been fixed inversion 0.9.28-2+deb12u2.We recommend that you upgrade your yard packages.For the detailed security status of yard please refer toits security tracker page at:https://security-tracker.debian.org/tracker/yardFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmXmMwMACgkQEMKTtsN8TjYteA/+OJKIMLYc36uSErez5guFT6OYcCINkwjm8Uv+7S9lkBp3aq80agghHHPwoghyZaW/2VohG/nDEFXh5g/NUPNFT+/044ymLsSMgJOF8C80+K6xJ7C/lHBeqYOMIjxzWuooWe0pL7ZLMpZHIipvbVtlS/M+GkjBudPMptMdk8hxfX3zlNgzJqxvZdE7dOu/eTqUOc+aOXRo7NPXkYfqkzkJxwy6DFnkRMrVd9IvHcYOs3Aw0EQE92QTsB68etFwakgmZZOzLW1ubkYJWGXGKq0ASWuGOlSUGjx62KiGWR53iIGUhY4VEQRUDjmPOVDoxOePO1Vr0W6UPqbsrGqSyKwpU8lqQKqAGbOJyw5XsnOjhu/fk1q9J3DRA/oa8fc/6Vgt+Ys8nOj1YHW+SbxjseRnGFraPqq88ICJ1Lg/UsxHn1RcO1dozClKI+FxLlbyZMFETA1yfy2+iHu6go5jQDTjQHuLk4aUzSAf1y6a8507QWyQSThB+9gehIs+GxTLRzYIOTgB40xrE5vaouVvZb5Qg9j9P1j2DY3+R8+ig+15nnMaVRSAQFaXl+9Vyn3STUox9lvhxBB7tCYEWV4P6IPQqjwsNWMKZR0gfmpJxrql3cUCkFTH68prMfWNbPYfsqVrnVkWQMzkqb1NvAdyYP3TJYEDdG1oI09vIye4d6VXbW4==CnLF-----END PGP SIGNATURE-----

Debian Security Advisory 5635-1

Red Hat Security Advisory 2024-1082-03 - An update for gnutls is now available for Red Hat Enterprise Linux 9.2 Extended Update Support.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1082.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: gnutls security updateAdvisory ID:        RHSA-2024:1082-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:1082Issue date:         2024-03-05Revision:           03CVE Names:          CVE-2024-0553====================================================================Summary: An update for gnutls is now available for Red Hat Enterprise Linux 9.2 Extended Update Support.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The gnutls packages provide the GNU Transport Layer Security (GnuTLS) library, which implements cryptographic algorithms and protocols such as SSL, TLS, and DTLS.Security Fix(es):* gnutls: incomplete fix for CVE-2023-5981 (CVE-2024-0553)* gnutls: rejects certificate chain with distributed trust (CVE-2024-0567)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-0553References:https://access.redhat.com/security/updates/classification/#moderatehttps://bugzilla.redhat.com/show_bug.cgi?id=2258412https://bugzilla.redhat.com/show_bug.cgi?id=2258544

Red Hat Security Advisory 2024-1082-03

Red Hat Security Advisory 2024-1081-03 - An update for sqlite is now available for Red Hat Enterprise Linux 9.2 Extended Update Support. Issues addressed include a buffer overflow vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1081.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: sqlite security updateAdvisory ID:        RHSA-2024:1081-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:1081Issue date:         2024-03-05Revision:           03CVE Names:          CVE-2023-7104====================================================================Summary: An update for sqlite is now available for Red Hat Enterprise Linux 9.2 Extended Update Support.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:SQLite is a C library that implements an SQL database engine. A large subset of SQL92 is supported. A complete database is stored in a single disk file. The API is designed for convenience and ease of use. Applications that link against SQLite can enjoy the power and flexibility of an SQL database without the administrative hassles of supporting a separate database server.Security Fix(es):* sqlite: heap-buffer-overflow at sessionfuzz (CVE-2023-7104)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-7104References:https://access.redhat.com/security/updates/classification/#moderatehttps://bugzilla.redhat.com/show_bug.cgi?id=2256194

Red Hat Security Advisory 2024-1081-03

Red Hat Security Advisory 2024-1078-03 - An update is now available for Service Telemetry Framework 1.5.4. Issues addressed include a denial of service vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1078.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: Service Telemetry Framework 1.5.4 security updateAdvisory ID:        RHSA-2024:1078-03Product:            Red Hat OpenStack PlatformAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:1078Issue date:         2024-03-05Revision:           03CVE Names:          CVE-2023-39326====================================================================Summary: An update is now available for Service Telemetry Framework 1.5.4.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Security Fix(es):* golang: net/http/internal: Denial of Service (DoS) via Resource Consumption via HTTP requests  (CVE-2023-39326)* golang: crypto/tls: Timing Side Channel attack in RSA based TLS key exchanges.  (CVE-2023-45287)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Service Telemetry Framework (STF) provides automated collection of measurements and data from remote clients, such as Red Hat OpenStack Platform or third-party nodes. STF then transmits the information to a centralized, receiving Red Hat OpenShift Container Platform (OCP) deployment for storage, retrieval, and monitoring.Solution:CVEs:CVE-2023-39326References:https://access.redhat.com/security/updates/classification/#moderatehttps://bugzilla.redhat.com/show_bug.cgi?id=2253193https://bugzilla.redhat.com/show_bug.cgi?id=2253330https://issues.redhat.com/browse/OSPRH-2140https://issues.redhat.com/browse/OSPRH-2577https://issues.redhat.com/browse/OSPRH-3492https://issues.redhat.com/browse/OSPRH-800https://issues.redhat.com/browse/OSPRH-825

Red Hat Security Advisory 2024-1078-03

Cisco Talos observed a surge in GhostSec, a hacking group’s malicious activities since this past year. GhostSec has evolved with a new GhostLocker 2.0 ransomware, a Golang variant of the GhostLocker ransomware.

Tuesday, March 5, 2024 08:00

*   Cisco Talos observed a surge in GhostSec, a hacking group’s malicious activities since this past year.
*   GhostSec has evolved with a new GhostLocker 2.0 ransomware, a Golang variant of the GhostLocker ransomware.
*   The GhostSec and Stormous ransomware groups are jointly conducting double extortion ransomware attacks on various business verticals in multiple countries. 
*   GhostLocker and Stormous ransomware have started a new ransomware-as-a-service (RaaS) program STMX\_GhostLocker, providing various options for their affiliates. 
*   Talos also discovered two new tools in GhostSec arsenal, the “GhostSec Deep Scan tool” and “GhostPresser,” both likely being used in the attacks against websites.

**Victimology of ransomware attacks**

Talos observed the GhostSec and Stormous ransomware groups operating together to conduct several double extortion attacks using the GhostLocker and StormousX ransomware programs against the victims in Cuba, Argentina, Poland, China, Lebanon, Israel, Uzbekistan, India, South Africa, Brazil, Morocco, Qatar, Turkiye, Egypt, Vietnam, Thailand and Indonesia according to our assessment of the disclosure messages posted by the group in their Telegram channels and Stormous ransomware data leak site.  

The collaborative operation affected victims across various business verticals, according to disclosures made by the groups in their Telegram channels.

Talos’ observation in GhostSec’s Telegram channels highlighted the group’s continued attacks on Israel’s Industrial systems, critical infrastructure and technology companies. On Nov. 12, 2023, they claimed that the affected organizations also included the Ministry of Defense in Israel.

Example of GhostSec’s Telegram chat message.

**GhostSec has remained active since this past year**

GhostSec is a hacker group that claims to be one of a modern-day Five Families group that includes ThreatSec, Stormous, Blackforums and SiegedSec on their Telegram channels. GhostSec is financially motivated, conducting single and double extortion attacks on victims across various geographies. They have also conducted several denial-of-service (DoS) attacks and have taken down victims’ websites, according to their Telegram channel messages. Their claims also showed us that their primary focus is raising funds for hacktivists and threat actors through their cybercriminal activities. 

The actor’s name, GhostSec, resembles the well-known hacktivist Ghost Security Group, primarily focusing on counterterrorism efforts and targeting pro-ISIS websites. The Ghost Security Group mentioned in their blog that another hacking group mimics their identity. 

In October 2023, GhostSec announced a new ransomware-as-a-service (RaaS) framework called GhostLocker. After their successful collaborative operations with the Stormous ransomware group in July 2023 against Cuban ministries, on Oct. 14, 2023, the Stormous gang announced that they would use the GhostLocker ransomware program in addition to their StormousX program. 

Stormous ransomware Telegram chat message.

Since then, the GhostSec and Stormous ransomware groups have jointly conducted double extortion ransomware attacks targeting victims across various business verticals in multiple countries. Along with the ransomware attacks, GhostSec seemed to be conducting attacks against corporate websites, including a national railway operator in Indonesia and one of Canada’s leading energy companies. They have likely leveraged their GhostPresser tool along with the cross-site scripting attack technique to compromise the websites. 

On Feb. 24, 2024, Stormous group mentioned on “The Five Families” Telegram channel that they have started their new ransomware-as-a-service (RaaS) program “STMX\_GhostLocker” along with their partners in GhostSec. The new program is made up of three categories of services for the affiliates: paid, free, and another for the individuals without a program who only want to sell or publish data on their blog (PYV service). 

The group has shared their working model flow diagrams for member and non-member affiliates on their Telegram channels.

Stmx\_GhostLocker member affiliate working model.

Stmx\_GhostLocker non-member affiliate working model.

Stormous ransomware and GhostSec have rebuilt the new official blog of their RAAS program Stmx\_GhostLocker on the TOR network, with features for the affiliates to join their program and disclose their victim’s data. Their blog dashboard shows the count of victims and disclosures of victims’ information with a link to their leaked data. They also display the largest ransom as $500,000 USD — we are not sure if that is the highest ransom payment they have received. 

Redacted picture of Stmx\_GhostLocker blog. 

**Evolution of GhostLocker 2.0 ransomware **

In November 2023, GhostSec announced a newer version of their GhostLocker ransomware called GhostLocker 2.0. Recently we observed that they have again started advertising their latest Golang version “GhostLocker 2.0” by calling it “GhostLocker V2” and mentioning their ongoing work on the GhostLocker V3, indicating their continuous evolution in developing their toolset. 

GhostLocker 2.0 encrypts the files on the victim’s machine using the file extension “.ghost” and drops and opens a ransom note. The ransom note has changed from its previous version, where the operator tells users to secure the encryption ID displayed in the ransom note and share it with them in their chat service during the negotiation by clicking “Click me.” The operator also mentions that the victim’s stolen data will be disclosed if they fail to contact them in seven days. 

Ransom Note of GhostLocker (left) and ransom Note of GhostLocker 2.0 (right).

The GhostLocker RAAS has a C2 panel where the affiliates can get an overview of their attacks and gains. When deployed on the victim’s machine, the ransomware binaries will register to the C2 panel, and the affiliates can track the encryption status on the victim’s machine. Talos discovered the GhostLocker 2.0 C2 server with the IP address 94\[.\]103\[.\]91\[.\]246 located in Moscow, Russia. We observed that the geolocation of the C2 server is similar to that of the C2 servers of earlier versions of the GhostLocker ransomware that security researchers at Uptycs reported. 

GhostLocker C2 panels.

GhostLocker RAAS provides its affiliates with the ransomware builder, which contains configuration options, including the mode of persistence that the ransomware binary can establish after being successfully run on the victim machine, target directories to encrypt, and techniques to evade the detections, such as killing the defined processes or services or running the arbitrary command to kill the scheduled task or bypass the User Account Controls (UAC). 

GhostLocker 2.0 ransomware builder panel.

Talos discovered the new variant of GhostLocker ransomware, “GhostLocker 2.0” in the wild on Nov. 15, 2023. The majority of the ransomware functionality of GhostLocker 2.0 remains the same as that of its earlier version GhostLocker, which was written in Python, excluding the watchdog component that the operator had used in earlier versions to start the dropped ransomware binary from the victim’s machine Windows Startup location and the AES encryption key length of 256 bits with that of 128 bits in the earlier version. 

During the initial execution, GhostLocker 2.0 copies itself to the Windows Startup folder to establish persistence. It also generates a random string of 32 bytes and uses the generated string as the filename for its dropped copy in the Windows Startup folder. 

After establishing the persistence, the ransomware establishes the connection to the C2 server through the URL hxxp\[://\]94\[.\]103\[.\]91\[.\]246\[/\]incrementLaunch.

A function that initiates the connection to C2.

After establishing a successful connection with the C2 server, the ransomware generates the secret key and the encryption ID and gathers the victim’s IP address, infection date and other information from its configuration parameters, including encryption status, ransom amount and a victim identifier string, to create a JSON file in the victim’s machine memory.

JSON file generated in the machine’s memory.

The generated JSON file is sent to the C2 server through the URL hxxp\[://\]94\[.\]103\[.\]91\[.\]246\[/\]addInfection to register the victim’s machine infection in the C2 panel.

Function to register the infection to the C2 by sending the JSON file.

After registering the victim’s machine infection with the C2 panel, the ransomware attempts to terminate the defined processes or services or Windows scheduled tasks from its configuration parameters in the victim’s machine to evade detection. 

Functions to stop Windows scheduled tasks. 

GhostLocker 2.0 searches for the target files on the victim’s machine according to the file extension list defined by the threat actor, and before the encryption routine starts, it will upload the target files to the C2 server through the URL “hxxp\[://\]94\[.\]103\[.\]91\[.\]246\[/\]upload” using HTTP post method. In the GhostLocker 2.0 sample we analyzed, the actor has configured the ransomware to exfiltrate and encrypt the files that have file extensions .doc, .docx, .xls and .xlsx. 

Function to exfiltrate the target files to the C2 server. 

After successfully exfiltrating, GhostLocker 2.0 encrypts the targeted files and appends “.ghost” as the file extension for the encrypted files. During the encryption process, GhostLocker 2.0 skips the “C:\\Windows” folder. After completing the encryption routine, the ransomware drops the embedded ransom note to an HTML file with the filename “Ransomnote.html” on the victim’s desktop and launches it using the Windows \`Start\` command. 

A function that drops and opens ransom notes.

Talos’ research uncovered two new tools in GhostSec’s arsenal that the hacking group claimed to have used in compromising legitimate websites. One of them is the “GhostSec Deep Scan toolset” to scan legitimate websites recursively, and another is a hack tool to perform cross-site scripting (XSS) attacks called “GhostPresser.”

The GhostSec deep scan toolset is a Python utility that an attacker can use to scan the websites of their potential targets. 

The tool has several modules to perform the following scans on the targeted websites:

*   Perform a user-specific search. 
*   Scans multiple websites.
*   Extract the hyperlinks on the website. 
*   Performs a deep scan and analyzes the technologies used to build the web page.
*   Scans the security protocols to detect the SSL/TLS and HSTS (HTTP Strict Transport Security).
*   Perform the website content analysis and extract the contents to a file.
*   Performs a WhoIs lookup.
*   Checks for the existence of any broken links in the website.

The tool also contains placeholders to perform specific functions including SSL analysis, DNS lookup, checks for robots.txt and sitemap.xml, CVE scans on the targeted website, and an advanced search based on the file type, date range and the custom criteria of the websites, indicating the GhostSec’s continuous evolution of tools in their arsenal. 

One of the modules that stood out to us is the \`deep\_scan\` function that the actor has defined to parse and scrape information from the targeted web pages and assess the technologies used in the web page. It is done by using the Python libraries Beautiful Soup, a Python package used for parsing data out of HTML and XML files, and the BuiltWith Python library, a Python package used to detect the technology used by a website, such as Apache, JQuery and WordPress. 

A function to parse and identify the technology used in the webpage.

GhostPresser, an admin bypass and hacking tool targeting the WordPress content management system, is a shell script that GhostSec claims to have used in an XSS attack against a legitimate website in Canada. The tool appears to be under enhancement process as we spotted several placeholders in the tool to include functionalities to perform audits on the targeted websites. We are not sure at this moment about what type of audits the threat actor intends to implement in their tool. 

GhostPresser tool.

A threat actor can achieve the following actions after successfully injecting the GhostPresser into a targeted website on WordPress. 

*   Bypass logins and perform actions such as test cookies. 
*   Activate and deactivate a plugin. 
*   Change WordPress settings.
*   Create a new user. 
*   Update WordPress core information. 
*   Functions to install a new theme.

Below is an example of the function in the GhostPresser to install new themes in WordPress.

Function to install new WordPress theme.

**Coverage**

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.

Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. Snort SIDs for this threat are 62983-62989, and 300818-300820. 

ClamAV detections are also available for this threat:

Win.Ransomware.GhostSec-10020906-0

**Indicators of Compromise**

Indicators of Compromise associated with this threat can be found here.

GhostSec’s joint ransomware operation and evolution of their arsenal

Vault and Vault Enterprise (“Vault”) TLS certificate auth method did not correctly validate client certificates when configured with a non-CA certificate as trusted certificate. In this configuration, an attacker may be able to craft a malicious certificate that could be used to bypass authentication. Fixed in Vault 1.15.5 and 1.14.10.

Skip to content

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2024-2048

**Incorrect TLS certificate auth method in Vault**

High severity GitHub Reviewed Published Mar 4, 2024 to the GitHub Advisory Database • Updated Mar 6, 2024

**Package**

gomod github.com/hashicorp/vault (Go)

**Affected versions**

\>= 1.15.0, < 1.15.5

< 1.14.10

**Patched versions**

1.15.5

1.14.10

**Description**

Published to the GitHub Advisory Database

Mar 4, 2024

GHSA-r3w7-mfpm-c2vw: Incorrect TLS certificate auth method in Vault

Ubuntu Security Notice 6673-1 - Hubert Kario discovered that python-cryptography incorrectly handled errors returned by the OpenSSL API when processing incorrect padding in RSA PKCS#1 v1.5. A remote attacker could possibly use this issue to expose confidential or sensitive information. It was discovered that python-cryptography incorrectly handled memory operations when processing mismatched PKCS#12 keys. A remote attacker could possibly use this issue to cause python-cryptography to crash, leading to a denial of service. This issue only affected Ubuntu 23.10.

==========================================================================  
Ubuntu Security Notice USN-6673-1  
March 04, 2024

python-cryptography vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 23.10  
- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS  
- Ubuntu 18.04 LTS (Available with Ubuntu Pro)

Summary:

Several security issues were fixed in python-cryptography.

Software Description:  
- python-cryptography: Cryptography Python library

Details:

Hubert Kario discovered that python-cryptography incorrectly handled  
errors returned by the OpenSSL API when processing incorrect padding in  
RSA PKCS#1 v1.5. A remote attacker could possibly use this issue to expose  
confidential or sensitive information. (CVE-2023-50782)

It was discovered that python-cryptography incorrectly handled memory  
operations when processing mismatched PKCS#12 keys. A remote attacker could  
possibly use this issue to cause python-cryptography to crash, leading to a  
denial of service. This issue only affected Ubuntu 23.10. (CVE-2024-26130)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 23.10:  
   python3-cryptography            38.0.4-4ubuntu0.23.10.2

Ubuntu 22.04 LTS:  
   python3-cryptography            3.4.8-1ubuntu2.2

Ubuntu 20.04 LTS:  
   python-cryptography             2.8-3ubuntu0.3  
   python3-cryptography            2.8-3ubuntu0.3

Ubuntu 18.04 LTS (Available with Ubuntu Pro):  
   python-cryptography             2.1.4-1ubuntu1.4+esm1  
   python3-cryptography            2.1.4-1ubuntu1.4+esm1

In general, a standard system update will make all the necessary changes.

References:  
   https://ubuntu.com/security/notices/USN-6673-1  
   CVE-2023-50782, CVE-2024-26130

Package Information:  
https://launchpad.net/ubuntu/+source/python-cryptography/38.0.4-4ubuntu0.23.10.2  
https://launchpad.net/ubuntu/+source/python-cryptography/3.4.8-1ubuntu2.2  
https://launchpad.net/ubuntu/+source/python-cryptography/2.8-3ubuntu0.3

Ubuntu Security Notice USN-6673-1

Ransomware gangs are using a powerful new trojan named PikaBot.

A new type of malware is being used by ransomware gangs in their attacks, and its name is PikaBot.

A relatively new trojan that emerged in early 2023, PikaBot is the apparent successor to the **infamous QakBot (QBot) trojan** that was shut down in August 2023. QBot was used by many ransomware gangs in the past for its versatile ability to facilitate initial access and deliver secondary payloads.

After QBot got shut down, there was a vacuum in the ransomware gang tool box—but **with PikaBot, that’s beginning to change**: last month we wrote about the first recorded instance of PikaBot being used by ransomware gangs, specifically Black Basta, in their attacks.

Let’s dig into how PikaBot works, how it’s distributed, how ransomware gangs use it in their attacks, and how to stop it with ThreatDown.

**A closer look at PikaBot**

To get a better idea of how PikaBot works, we need to first understand what a modular trojan is.

Simply put, **a modular trojan** is a type of malware designed to be flexible and extensible, allowing attackers to add or update its functionalities easily without needing to replace the whole malware.

The modular nature of trojans like QBot and PikaBot are what makes them so dangerous. Unlike simpler malware, **PikaBot can execute arbitrary commands, download additional payloads, and inject malicious shellcode into legitimate processes** running on a victim’s computer. Think of it like a backdoor that allows attackers to set up for the next stages of their attacks.

Once it’s installed onto a system, PikaBot has a whole host of ways to stay under the radar, evading detection by most conventional security tools through techniques like indirect system calls and advanced obfuscation methods.

**How Pikabot is distributed**

The distribution of PikaBot, like many other malicious loaders such as QBot and DarkGate, **is heavily reliant on email spam campaigns**. Even so, ThreatDown Intelligence researchers have seen PikaBot being delivered via malicious search ads as well (also known as “**malvertising**”).

PikaBot’s initial access campaigns are meticulously crafted, utilizing geolocalized spam emails that target specific countries. The emails often contain links to external SMB (Server Message Block) shares, which host malicious zip files.

SMB shares are network folders leveraging the SMB protocol—a network file sharing protocol designed for sharing files and printers across devices on a network. Attackers often use SMB shares to distribute malware. In this case, **downloading and opening the hosted zip file results in PikaBot infection.**

For example, consider the below phishing email containing a link to a zip file containing the PikaBot payload.

Source: ANY.RUN (Translation: I sent you some paperwork the other day. Did you get it?)

Once the recipient interacts with these emails by clicking on the link, they are taken to the SMB share hosting the malicious zip files.

Extracting a zip and double-clicking on the executable within it will install PikaBot.

Source: ANY.RUN

**How ransomware gangs use PikaBot**

Ransomware gangs commonly use modular trojans like PikaBot for their attacks.

Before it was shut down, for example, Qbot allowed ransomware gangs to **seamlessly integrate various attack techniques into their operations**, including stealing credentials, moving laterally across networks, and ultimately deploying ransomware or other malicious payloads.

PikaBot is being used by ransomware attackers in a similar way.

Once PikaBot has established a foothold in a network, it allows attackers to engage in **a wide range of follow-up activities**.

For example, researchers have noted affiliates of the BlackBasta ransomware gang using PikaBot to use **encrypted communications with command and control (C&C) servers**. Pikabot can also assist gangs in getting detailed information about infected systems, **helping them tailor their ransomware for maximum impact.**

**How to stop PikaBot with ThreatDown**

Besides preventing initial access through things such as a web content filter and phishing training, choosing an Endpoint Detection and Response (EDR) platform that **automatically detects and quarantines threats** like PikaBot is crucial.

However, given the constant evolution of malware, identifying dynamic threats like Pikabot boils down to two words: **threat hunting**.

At ThreatDown, we talk a lot about the importance of threat hunting for SMBs—and not for no good reason, either. Just consider the fact that, when an attacker breaches a network, they don’t attack right away. **The median amount of time between system compromise and detection is 21 days**.

By that time, it’s often too late. Data has been harvested or ransomware has been deployed.

Threat hunting helps find and remediate highly-obfuscated threats like PikaBot that can quietly lurk in the network, siphoning off confidential data and searching for credentials to access the “keys to the kingdom.”

For example, as detailed in one case study, the ThreatDown Managed Detection and Response (MDR) team employed threat hunting techniques to uncover and neutralize a sophisticated QBot attack on a reputable oil and gas company. The team’s approach involved **meticulously examining Indicators of Compromise (IoCs), analyzing network traffic, and scrutinizing unusual patterns of behavior** within the company’s IT infrastructure, ultimately resulting in Qbot’s discovery on the network and isolation of infected systems.

ThreatDown MDR workflow

**Stop threats like PikaBot today**

Want to learn more about how ThreatDown stops new threats like PikaBot? Fill out this form to speak with an expert and get a custom quote.

Tag

#ssl