Vercara’s Open-Source Intelligence (OSINT) Report – February 16 – February 22, 2024

LockBit leaks expose nearly 200 affiliates and malware details.

(TLP: CLEAR) Law enforcement (LE) agencies have recently reported that, over the previous two years, almost 200 individuals have joined forces with the LockBit organization as “affiliates.” These affiliates engage in the group’s ransomware-as-a-service operations, employing LockBit’s sophisticated tools to orchestrate cyberattacks. In return for their involvement, they receive a portion of the ransom payments extorted from the targets. Furthermore, the National Crime Agency (NCA) continues to reveal new insights daily from the seized domain of the ransomware syndicate, posting their operational dismantlement. The most recent disclosure exposes the data extracted from LockBit’s affiliate portal. It highlights the registration of 187 affiliates within the span from January 31, 2022, to February 5, 2024, delineating the scope of the gang’s network over the course of two years. Additionally, LE have commandeered the LockBit platform, garnering a substantial trove of intelligence detailing attack specifics, ransom transactions, pilfered information, and correspondence records. The NCA has overwritten the affiliate portal’s interface with a direct communiqué to the affiliates, alerting them about the ongoing probe and cautioning them about impending legal consequences.

(TLP: CLEAR) Analyst Comments: LockBit is a ransomware-as-a-service (RaaS) group that has been active since September 2019. The ransomware syndicate has emerged as a formidable powerhouse in the cybercriminal landscape, notorious for orchestrating a relentless onslaught of ransomware attacks targeting organizations and businesses across various sectors without discrimination, seeking to exploit vulnerabilities for monetary gain. During November 2023, the group claimed responsibility for compromising 484 distinct targets. This wave of attacks was largely facilitated by affiliates exploiting the Citrix Bleed vulnerability, which they used as a primary attack vector to gain initial access. That said, organizations should update and patch their systems and applications when updates are available. (TLP: CLEAR) Recommended Best Practices/Regulations: To fortify against ransomware threats such as LockBit, it is recommended organizations adopt a comprehensive security strategy. Regular backups of critical data are essential, and these backups should be stored offline or in a secure, separate location to prevent them from potential compromise. Additionally, a robust patch management process is crucial for keeping all software, operating systems, and firmware up to date, closing potential vulnerabilities that ransomware could exploit. Lastly, deploying endpoint protection with an updated antivirus solution, along with advanced endpoint detection and response (EDR) tools, can provide strong defenses at the point of entry of business networks.

(TLP: CLEAR) Vercara: Vercara UltraDDR (DNS Detection and Response) filters internal DNS responses from users as well as machines using both defined categories including botnet C&C as well as machine learning to detect previously uncategorized malicious associations and help prevent data exfiltration or ransomware detonation. Vercara UltraWAF helps prevent common exploits of vulnerabilities in web applications that could lead to insertion of malware. Signatures for new vulnerabilities are constantly updated along with granular input validation controls and traffic filtering measures for flexibility.

Source: https://www.theregister.com/2024/02/21/lockbit_leaks/

LockBit ransomware secretly building next-gen encryptor before takedown.

(TLP: CLEAR) Recent intelligence reporting has revealed insights on a new LockBit variant developed by the group before the recent law enforcement dismantlement of their network. According to investigators, this emergent strain, dubbed ‘LockBit-NG-Dev’, is crafted in the .NET programming language and appears to be constructed using CoreRT, marking a departure from the C++ codebase of earlier LockBit iterations. Additionally, reporting suggests that the latest LockBit encryptor is in an underdeveloped stage, evidenced by its absence of certain functionalities found in preceding models, such as autonomous replication and the capability to commandeer connected printers to produce ransom demands. A detailed examination of the sample reveals it offers three distinct encryption modes—’fast,’ ‘intermittent,’ and ‘full’—utilizing the AES + RSA algorithm to optimize encryption velocity relative to file size. Lastly, this nascent version allows for selective file or directory exclusion and features an auto-erasure function that purges LockBit’s file data, replacing it with null bytes.

(TLP: CLEAR) Analyst Comments: The recent dismantling of LockBit’s operational framework will likely put a momentary stop to their activities, with the apprehension of key operatives and the compromise of their servers and services. The unearthing of the new encryptor adds to the group’s setbacks, compelling them to both develop a fresh variant and reconstruct their operational base simultaneously. Should LockBit attempt a resurgence, the U.S. Department of State has announced a bounty of up to $15 million for intelligence that results in the pinpointing or capture of the ransomware syndicate’s members and their associates.

(TLP: CLEAR) Recommended Best Practices/Regulations: In addition to technical measures, it is recommended organizations should focus on user education and awareness. Routine training on cybersecurity best practices, including recognizing phishing emails, can empower employees to act as the first line of defense for their businesses, Lastly, staying informed on the latest cyber threats through your organization’s threat intelligence team and threat feeds can provide early warnings and insights.

(TLP: CLEAR) Vercara: Vercara UltraDDR (DNS Detection and Response) filters internal DNS responses from users as well as machines using both defined categories including botnet C&C as well as machine learning to detect previously uncategorized malicious associations and help prevent data exfiltration or ransomware detonation.

Vercara UltraWAF helps prevent common exploits of vulnerabilities in web applications that could lead to insertion of malware. Signatures for new vulnerabilities are constantly updated along with granular input validation controls and traffic filtering measures for flexibility.

Source: https://www.bleepingcomputer.com/news/security/lockbit-ransomware-secretly-building-next-gen-encryptor-before-takedown/

Massive wireless service outage impacts US mobile subscribers.

(TLP: CLEAR) Thursday, February 22, numerous customers across the U.S. from Verizon, T-Mobile, and AT&T reported experiencing disruptions or complete outages in their wireless service. According to data from the issue-monitoring website Downdetector, there are approximately 73,000 AT&T customers across various states, such as North Carolina, Louisiana, Texas, and Florida, reported service disruptions. Furthermore, the San Francisco Fire Department issued an alert regarding a “cell phone service outage,” stating that “AT&T wireless customers are unable to make or receive any phone calls, including emergency calls to 911, even though the 911 center remains fully operational.” Investigators reported that Downdetector’s data revealed that, in addition to AT&T, other cellular providers such as Verizon, T-Mobile, Cricket Wireless, Consumer Cellular, US Cellular, Straight Talk Wireless, and FirstNet have also encountered service issues. The latest reporting on the outages has indicated wireless services have since been restored to all affected customers.

(TLP: CLEAR) Analyst Comments: According to Downdetector, areas most severely impacted by the AT&T outage appear to have been Dallas, Houston, Los Angeles, and Atlanta. There were also outage reports throughout the state of Florida, parts of Michigan, and New York. It was later stated that the outages were due to an application error and execution of an incorrect process during the company’s network expansion, and not as a result of a cyber-attack.

(TLP: CLEAR) Recommended Best Practices/Regulations: It is recommended organizations adopt a standardized approach to change processes. By harmonizing the procedures for implementing changes, organizations can greatly improve the reliability of their systems.

(TLP: CLEAR) Vercara: Vercara UltraDDoS Protect provides flexible, automated, and Always On protection across 15 Points of Presence (PoPs) and >15Tbps of DDoS mitigation capacity to enable customer availability and performance under even the largest and most complex DDoS attacks (layer 3 through layer 7). An automated intelligence feed that is constantly updating mitigation devices allows protection against emerging attack vectors and common attack sources.

Source: https://www.bleepingcomputer.com/news/mobile/massive-atandt-outage-impacts-us-mobile-subscribers/

Source: https://about.att.com/pages/network-update

U.S. authorities disrupt Russian botnet.

(TLP: CLEAR) The U.S. federal government recently announced that it carried out a court-approved operation, dubbed ‘Dying Ember,’ aimed at dismantling the ‘MooBot’ botnet. This botnet was employed by hackers associated with Russia’s Main Intelligence Directorate (GRU), also referred to as APT 28, to facilitate their malicious cyber operations. According to reporting, the botnet was comprised of numerous Ubiquiti small office/home office (SOHO) routers, initially compromised by cybercriminals unaffiliated with the GRU. These attackers exploited default credentials to implant the MooBot malware, which provided persistent remote access to the devices. It is assessed that APT 28 managed to identify and access these compromised routers, utilizing the MooBot malware to embed its own scripts and platforms, thereby tailoring the botnet to serve its specific objectives. Furthermore, according to U.S. authorities, to neutralize botnet they executed a series of undisclosed commands to first duplicate and then erase the harvested data and malicious files present on the compromised bots. Subsequently, they altered firewall rules to prevent APT 28 from regaining access to the routers.

(TLP: CLEAR) Analyst Comments: The Moobot botnet, based on the Mirai botnet, was initially identified by researchers in February 2021. By November 2021, it began exploiting a critical command injection vulnerability (CVE-2021-36260) in the webserver of various Hikvision products. Reporting suggests that, since September 2022, the Moobot botnet has been observed targeting vulnerable D-Link routers. The botnet allowed APT 28 actors to mask their true location and harvest credentials and hashes, as well as host spear-phishing landing pages and other custom tooling for brute-forcing passwords, stealing router user passwords, and spreading the MooBot malware to other appliances.

(TLP: CLEAR) Recommended Best Practices/Regulations: It is highly recommended that users activate automatic updates for Small office/Home Office (SOHO) devices to guarantee the installation of the most recent security patches. Additionally, it is important for users to ensure proper configuration of these devices, such as limiting external access to management interfaces and deactivating unneeded services, while also maintaining robust password practices including changing default passwords to unique and complex passwords.

(TLP: CLEAR) Vercara: Vercara UltraDDR (DNS Detection and Response) filters internal DNS responses from users as well as machines using both defined categories including botnet C&C as well as machine learning to detect previously uncategorized malicious associations and help prevent data exfiltration or malware detonation.

Source: https://www.helpnetsecurity.com/2024/02/16/us-authorities-disrupt-russian-intelligence-botnet/

Leaked documents expose China’s commercial hacking industry.

(TLP: CLEAR) Over the weekend of February 16th, a series of leaked documents, allegedly from a Chinese security company (I-Soon), has cast light on the nation’s commercial cyberespionage activities. These documents unveil hacking contracts with public agencies, a catalog of targets, and extensive discussions among employees spanning several years. The true origins of the leak remains uncertain, but experts familiar with China’s cyber industry suggest the contents seem authentic. According to investigators having spoken to two employees of the company, it was confirmed that both the company and Chinese law enforcement are probing into the leak to ascertain its legitimacy. Initial analysis of the leaked documents reveals marketing materials, technical documents highlighting the company’s offensive capabilities, and internal communications. The company touts its previous counterterrorism efforts in Xinjiang and enumerates other terrorism-related entities it has targeted. Additionally, technical documentation showcases custom hardware surveillance devices and offensive toolkits, affirming the company’s emphasis on hacking-for-hire and offensive operations. Although I-Soon has remained silent regarding the leaks and did not respond to a request for comment, its website was taken offline on Tuesday, February 20th.

(TLP: CLEAR) Analyst Comments: The disclosed information offers insights into suspected Chinese cyberespionage activities previously noted by the threat intelligence community. The connections between these indicators and past breaches are currently being assessed. I-Soon, reportedly implicated in targeting at least 14 governments, pro-democracy groups in Hong Kong, universities, and NATO, finds its activities corroborated by the leaked documents. These disclosures are consistent with previous threat intelligence concerning several known threat groups.

(TLP: CLEAR) Recommended Best Practices/Regulations: In summary, the leak prompts significant inquiries within the cybersecurity community and highlights the dynamic evolution of state-affiliated cyber operations in China.

(TLP: CLEAR) Vercara: Vercara UltraDDR (DNS Detection and Response) filters internal DNS responses from users as well as machines using both defined categories including botnet C&C as well as machine learning to detect previously uncategorized malicious associations and help prevent data exfiltration or malware detonation. Vercara UltraWAF helps prevent common exploits of vulnerabilities in web applications that could lead to insertion of malware. Signatures for new vulnerabilities are constantly updated along with granular input validation controls and traffic filtering measures for flexibility. UltraWAF includes a number of tools for managing both benign and malicious bots including bot signatures and device fingerprinting.

Source: https://www.sentinelone.com/labs/unmasking-i-soon-the-leak-that-revealed-chinas-cyber-operations/

Source: https://nattothoughts.substack.com/p/i-soon-another-company-in-the-apt41

Zero-Day could impact up to 97,000 Microsoft exchange servers.

(TLP: CLEAR) During last week’s Patch Tuesday, Microsoft addressed multiple vulnerabilities, including a zero-day flaw that could allow attackers to relay a user’s Net-NTLMv2 hash against a vulnerable server and authenticate as that user. Despite the release of patches, the threat monitoring service Shadowserver reports that approximately 97,000 servers remain vulnerable or potentially vulnerable to this zero-day. According to Shadowserver scans, the majority of these servers are located in Germany (25,000), followed by the US (22,000), and the UK (4,000). According to Microsoft, CVE-2024-21410 allows an attacker to target an NTLM client, such as Outlook, in an attack that leaks NTLM credentials. These compromised credentials can then be relayed to an Exchange server to escalate privileges and execute various operations on the server as if they were the victim. While Microsoft has confirmed that this vulnerability is being actively exploited, the company has not provided further details.

(TLP: CLEAR) Analyst Comments: Microsoft has verified that this vulnerability is currently being exploited in the wild, though the company has not disclosed additional specifics. Given that 97,000 servers remain unpatched, there exists a considerable risk of attackers exploiting this security flaw.

(TLP: CLEAR) Recommended Best Practices/Regulations: With CVE-2024-21410 actively being exploited, organizations should prioritize identifying potentially affected systems and applying the available mitigation and patches provided by Microsoft: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21410

(TLP: CLEAR) Vercara: Vercara UltraWAF helps prevent common exploits of vulnerabilities in web applications that could lead to insertion of malware. Signatures for new vulnerabilities are constantly updated along with granular input validation controls and traffic filtering measures for flexibility. UltraWAF includes a number of tools for managing both benign and malicious bots including bot signatures and device fingerprinting.

Vercara UltraDDR (DNS Detection and Response) filters internal DNS responses from users as well as machines using both defined categories including botnet C&C as well as machine learning to detect previously uncategorized malicious associations and help prevent data exfiltration or ransomware detonation.

Source: https://www.securityweek.com/recent-zero-day-could-impact-up-to-97000-microsoft-exchange-servers/