CyberWire Daily - Darknet dollars exposed.
Episode Date: September 27, 2024International Law Enforcement Seizes Domains of Russian Crypto Laundering Networks. The real-world risk of a recently revealed Linux vulnerability appears low. Criminal Charges Loom in the Iranian Hac...k of the Trump Campaign. Meta is fined over a hundred million dollars for storing users’ passwords in plaintext. Delaware’s public libraries grapple with the aftermath of a ransomware attack. Tor merges with Tails. Progress Software urges customers to patch multiple vulnerabilities. A critical vulnerability in VLC media player has been discovered. Our guests are Mark Lance, Vice President of DFIR and Threat Intelligence at GuidePoint Security, and Andrew Nelson, Principal Security Consultant at GuidePoint Security discussing their work on "Hazard Ransomware – A Successful Broken Encryptor Story." Having the wisdom to admit you just don’t know. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Our guest is Mark Lance, Vice President DFIR and Threat Intelligence at GuidePoint Security, discussing their work on "Hazard Ransomware – A Successful Broken Encryptor Story." Selected Reading US-led operation disrupts crypto exchanges linked to Russian cybercrime (The Record) Highly Anticipated Linux Flaw Allows Remote Code Execution, but Less Serious Than Expected (SecurityWeek) Criminal charges coming in alleged Iranian hack of Trump campaign emails: Sources (ABC News) Meta fined $101 million for storing hundreds of millions of passwords in plaintext (The Record) Hackers attack Delaware libraries, seek ransom. Here's what we know (Delaware Online) Tor Merges With Security-Focused OS Tails (SecurityWeek) Progress urges admins to patch critical WhatsUp Gold bugs ASAP (Bleeping Computer) VLC Player Vulnerability Let Attackers Execute Malicious Code, Update Now (Cyber Security News) Bigger AI chatbots more inclined to spew nonsense — and people don't always realize (Nature) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
International law enforcement seizes domains of Russian crypto laundering networks.
The real world risk of a recently revealed Linux vulnerability appears low.
Criminal charges loom in the Iranian hack of the Trump campaign.
Meta is fined over $100 million for storing users' passwords in plain text.
Delaware's public libraries grapple with the aftermath of a ransomware attack.
Tor merges with Tails. Progress Software urges customers to patch multiple vulnerabilities.
A critical vulnerability in VLC media player has been discovered. Our guests are Mark Lance
and Andrew Nelson from GuidePoint Security, discussing their work, Hazard Ransomware, a successful broken encryptor story.
And having the wisdom to admit you just don't know.
It's Friday, September 27th, 2024.
I'm Dave Bittner, and this is your CyberWire Intel Briefing.
Music Happy Friday, and thank you for joining us here today.
On Thursday, the U.S. government and Dutch authorities took coordinated action against
several Russian cryptocurrency exchanges and individuals accused of laundering cybercrime
proceeds. The U.S. Treasury sanctioned the exchange Cryptex and Russian national Sergei Sergeyevich Ivanov, who is also allegedly involved with PM2BTC, a virtual currency exchange labeled a primary money laundering concern by the Treasury's Financial Crimes Enforcement Network.
Financial Crimes Enforcement Network. Authorities seized websites and infrastructure tied to Cryptex, PM2BTC, and UAPS, another payment processor linked to Ivanoff. Cryptex allegedly
handled over $51 million from ransomware operations, while PM2BTC's transactions were
heavily tied to criminal activities,
including over $600,000 linked to darknet markets.
Ivanov is accused of laundering hundreds of millions in virtual currency for ransomware operators and darknet vendors over the past 20 years.
The U.S. Department of State announced a reward of up to $10 million
for information leading to the arrest of Ivanov
and another Russian national, Timur Shakhmamatov, the alleged creator of Joker's Stash,
a major online marketplace for stolen data that was shut down in 2021.
These sanctions are part of ongoing efforts to disrupt Russian cybercriminals
who often operate freely within
Russia. However, it remains uncertain whether these measures will effectively cut off such
criminals from the global financial system. On September 23rd, researcher Simone Margaritelli
teased a serious vulnerability affecting all GNU Linux systems,
a remote execution flaw with a hefty CVSS score of 9.9.
The flaw, tied to the common Unix printing system, CUPS,
gained attention for its potential impact.
Shortly after, technical details were leaked online,
forcing Margaretelli to disclose the vulnerability along with a proof
of concept exploit. Four related CUPS vulnerabilities were revealed, allowing attackers to execute
arbitrary code by hijacking print jobs via malicious URLs. However, while the vulnerabilities
seemed critical at first, further analysis revealed significant mitigating factors.
The affected CUPS services aren't vulnerable by default, and an attacker needs specific access
to exploit them. Though Shodan shows 75,000 exposed CUPS daemons online, real-world
exploitability appears low, especially in server environments. Still, patches are pending,
and users are advised to mitigate by disabling vulnerable services.
So, it's concerning, but not quite the next Heartbleed or Eternal Blue.
Federal law enforcement officials are set to announce criminal charges related to an alleged Iranian hack of emails from members
of former President Trump's campaign, according to sources speaking to ABC News. The hackers
reportedly accessed internal documents, including materials used to vet potential running mates for
Trump. The stolen data was allegedly shared with individuals connected to the Biden campaign.
The Trump campaign, as victims, has been informed of the upcoming charges following standard Department of Justice procedures.
Irish Data Protection Commission for storing hundreds of millions of user passwords in plain text, a violation of the EU's General Data Protection Regulation. Meta first discovered
the issue in 2019 and claimed that only internal employees had access to the unencrypted passwords
with no evidence of misuse. However, after a five-year investigation, the DPC found Meta failed to
implement proper security measures and did not promptly notify authorities. Meta's failure to
protect users' passwords was deemed a breach of GDPR, which mandates robust safeguards for
sensitive data. The DPC's decision was supported by other EU regulators, though the full reasoning
behind the fine has not yet been made public. Delaware's public libraries are grappling with
the aftermath of a ransomware attack that began on September 20th, disrupting services statewide.
The breach has caused internal outages and forced some libraries to temporarily close,
while others, like Wilmington Public Library, keep their doors open but have closed their computer labs.
The Delaware Department of State confirmed ransomware as the cause, but the investigation is ongoing.
The Ransom Hub hacker group has claimed responsibility, allegedly exfiltrating 56 gigabytes of data.
No ransom details have been confirmed.
The attack is particularly hard on vulnerable individuals like those experiencing homelessness who rely on library Internet access.
Delaware joins Washington state and Colorado in facing similar cyber attacks this year,
underscoring the growing threat to public institutions.
The TOR project has merged with the security-focused TAILS operating system,
a move aimed at enhancing privacy and security protections for high-risk users,
such as journalists and activists.
After nearly a decade of collaboration,
the merger allows Tails to benefit from Tor's larger operational framework,
addressing challenges like HR and fundraising.
This partnership will enable Tails to focus on its core mission
of improving its OS while expanding its use cases.
The merger also increases visibility for Tails
among Tor's user base. The Tor project is a non-profit organization that develops and
maintains Tor, the Onion router, a free and open-source software designed to help people
achieve online privacy and anonymity. Progress Software has urged customers to patch multiple critical and
high-severity vulnerabilities in its WhatsApp Gold network monitoring tool. Although the company
released an update on September 20th to address these issues, it has not provided specific details
about the flaws. Six vulnerabilities reported by security researchers impact prior versions.
Customers are advised to upgrade immediately to avoid exploitation. Attackers have already
been exploiting two WhatsApp Gold SQL injection vulnerabilities since August, potentially leading
to remote code execution, according to security researchers. A critical vulnerability in VLC media player has
been discovered, allowing attackers to execute malicious code via a specially crafted MMS stream.
The flaw, caused by an integer overflow leading to a heap-based overflow, could result in VLC
crashing or potentially executing arbitrary code with the user's privileges.
The VLC team has fixed the issue in the most recent version,
and users are strongly urged to update immediately to safeguard against potential attacks.
To stay protected, users should avoid opening MMS streams from untrusted sources
and disable VLC browser plugins until the update is applied.
Andreas Fobian of Mantodia Security reported the vulnerability.
Coming up after the break,
Mark Lance and Andrew Nelson from GuidePoint Security describe their work, Hazard Ransomware, a successful broken encryptor story.
Stay with us.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta. Here's the gist. Vanta brings automation to evidence collection
across 30 frameworks like SOC 2 and ISO 27001. They also centralize key workflows like policies,
access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached. Protect your executives and their families 24-7,
365, with Black Cloak. Learn more at blackcloak.io.
Mark Lance is Vice President of DFIR and threat intelligence at GuidePoint Security. And Andrew
Nelson is principal security consultant also at GuidePoint Security. I recently got together with
them to discuss their work, Hazard Ransomware, a successful broken encryptor story. It was a post
ransomware encryptor deployment. So the client that we were working with
had already had encryption deployed.
I think in their particular instance,
they had some vulnerabilities
with a public-facing server.
The threat actor got access.
They went through their typical TTPs
of enumerating internal systems, gathering credentials.
Ultimately, when they had identified the backups, they went ahead and deployed the ransomware.
So, Mark, help me understand here.
so mark help me understand here i mean when someone comes to you in this situation is there a a standard playbook that that typically uh goes into action yeah certainly i mean each
each incident is unique and you respond you know specific to each of them but ultimately a lot of
clients will reach out to us when they're seeing suspicious activities in their environment, or maybe they've got certain ransom notes that are showing up on systems.
And so ultimately, what we do is, step one, let's get on a phone call.
And let's understand what you guys have going on, what steps you've taken,
and what actions have been taken at this point in time.
We're also going to ask questions about visibility.
What do we have access to?
What data sources can we leverage? Essentially, what levers we can pull and what switches we can flip that's
going to give our team the visibility we need to perform an investigation. Because ultimately,
what we want to find out is, how did somebody get into the environment? Once they got into
the environment, what are they doing or what did they do?
Did they attempt to steal certain information or access certain information? And if they did
steal information, what information did they steal? And then ultimately, the goal is to,
in a lot of these circumstances, specifically surrounding ransomware, if there's been some
sort of encryption, one, we want to help the client recover so that they can restore operations,
but also do that in a manner that's going to be secure, while also ensuring that we can perform
that forensic investigation to make sure that they're not going to be able to continue to
access the environment. And part of that as well is going to include potentially reaching out to
the threat actor, to these cyber criminal
groups, and saying, hey, even if there's no intent on paying a ransom, initiating those
discussions potentially to prolong the period before they publish or post information about
what they've taken from the environment if you don't pay. Or maybe, I don't know, there is an
appetite to pay. But ultimately, these are a lot of variables that go into the overall response effort and things that need to be taken into
consideration. So, Andrew, can you describe to us what exactly played out here in terms of there
ultimately being a broken encryptor? Right. So, there was a couple things in play. So first off, for reasons that we're not
exactly sure why, the affiliate that was
deploying the ransomware actually executed
multiple instances of the encryptor on the same system.
So that, in conjunction with there being
a bug in the encryptor itself, led to particular instances of files that were encrypted multiple times.
The bug itself was essentially, during the time that the files were encrypted, there was a brief window where the second encryptor that was executed could also encrypt that file.
So the encryptor didn't use anything like a mutex
to halt a similar encryptor from running.
It also, towards the end, before it renamed
the file and changed the extension, there was a brief
window of time where the file wasn't
locked anymore. So that allowed the second encryptor to then encrypt it again. The last
issue with this bug is that there's a footer that's appended at the bottom that contains
very important configuration information about how the data is actually decrypted.
And the last few bytes in this particular instance
that we're missing were associated
with that initialization factor.
That was ultimately the stream of data
that we had to brute force in order to decrypt the file.
Wow.
Mark, it sounds like a
worst-case scenario here.
I'm amazed
that you didn't end up
with basically digital mush.
Yeah, absolutely.
Those are some of the concerns
that when we're working on a
client's behalf to perform
the communications
or what people would consider ransomware negotiations.
We're trying to establish terms.
If we do reach a settlement,
here are the terms of the settlement
where you're going to give us access to a decryptor
so we can decrypt our encrypted systems.
You're going to give us a method of ingress,
how you got into the environment.
And you're also going to ensure that the information that you stole is not published or
disclosed on their website. And so those are generally the terms. Now that being said,
realistically, you have to be aware that you're dealing with a cyber criminal. Somebody who has
extorted you for money recently,
and now they're trying to act on good faith and say, oh, these are the things we're going to get
you. And so in a lot of instances, we've seen where they will go through troubleshooting steps
and a progression of events to try to make sure that you are actually getting access to what
they've alluded to or promised
as part of those terms, because they don't want to get a bad reputation. They don't want it to be
known that, oh, if you pay this specific group, you're not going to get access to the decryption
capabilities. And then all of a sudden, people are going to stop paying that group. And these
groups are built to monetize their efforts. But in this specific instance, we were extremely lucky in the sense
and we worked with the threat actor to say,
hey, this decryptor is not working.
They provided another version back, which was the initial decryptor
with a different name of the same file.
And so thankfully through continued troubleshooting, because at
that point, the threat actor did stop communicating and just, you know, kind of closed up shop
for this one and moved on to the next.
Thankfully, we were able to work to get access back to the information that the client needed
to restore operations.
In your experience with helping people restore their data after
they've been through an encryption event like this, how common is it for you to be working
with someone whose estimates of how long this would take were in the right ballpark? Were it
all accurate? I mean, I would guess that a lot of people really underestimate the effort here it takes to get back up and running.
Absolutely.
And in a lot of instances, organizations are expecting to have their backups.
But if they didn't have good backup security posture, then they may have been deleted.
So that throws a complete curveball in terms of the restoration process.
And oftentimes what we see is that the organization either doesn't have the staff
to be in kind of a 24-7 mode to really get back up to speed where they need to be.
And usually in those circumstances,
it's very beneficial for them to have some kind of augmentation
to their staff to assist with that restoration process.
Mark, what's your advice to folks?
I mean, when they hear stories like this,
to minimize the impact of something like this. Do you have any words
of wisdom you can share? Yeah. I mean, I'd say, you know, user awareness and focus on fundamentals.
I think one of the things that we find to be extremely beneficial is a lot of this stuff
starts with, you know, people clicking on a phishing link or some sort of vulnerability.
And I think, you know, as organizations, we do a good job of making sure people know how to potentially identify
phishing or ensuring that their systems are up to date and making sure that they're patched.
And so I think educating people not just on how to identify it or how to perform those updates,
on how to identify it or how to perform those updates.
But on top of that, getting them to really understand the true impact that could potentially be associated with not performing those things.
And so I think a lot of people are like, oh, yeah, it's a phishing email.
I accidentally clicked a link, maybe entered some credentials.
Hopefully, it won't be that bad.
I'll go ahead and report it over to my information security team.
that. I'll go ahead and report it over to my information security team. But what a lot of people don't realize is that these multi-million dollar, completely catastrophic incidents are all
initiated via that one thing or that one system that got stood up that IT wasn't aware of and
wasn't patched. And so again, I think it comes down to just making sure we're focusing on
core and fundamental things that everybody should be doing from user awareness, good hygiene,
being attentive, sharing information. And a lot of those things can help us pick up these things
earlier in the lifecycle of the threat versus once the encryption binaries have already been
deployed and they're starting that encryption process.
Our thanks to Mark Lance and Andrew Nelson from GuidePoint Security for joining us.
We'll have a link to their research in the show notes. Cyber threats are evolving every second, and staying ahead is more than just a
challenge. It's a necessity. That's why we're thrilled to partner with ThreatLocker, the cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of
solutions designed to give you total control, stopping unauthorized applications, securing
sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com
today to see how a default-deny approach can keep your company safe and securely. Visit ThreatLocker.com today to see how a default-deny approach can keep your
company safe and compliant. And finally, my dearly departed father-in-law was a gifted,
And finally, my dearly departed father-in-law was a gifted, respected research chemist at the FDA.
He was a kind, intelligent man with a hearty laugh and a quick wit.
He also suffered from something my wife and I came to call male answer syndrome.
People suffering from this condition, and they are usually men,
feel compelled to confidently answer any and every question put to them, whether they have any idea what they're talking about or not.
Sufferers of male answer syndrome seem to be physically incapable of uttering those three
simple words, I don't know. Which brings me to a recent study that found that larger, more advanced
AI chatbots are great at giving correct answers, but also more prone to confidently spewing nonsense.
Researchers at the Valencian Research Institute for Artificial Intelligence in Spain, discovered that as chatbots like GPT and Llama grow in size and capability,
they're less likely to admit they don't know something and more likely to guess, and guess
wrong. The study also showed people often fail to recognize these bad answers, with many users
mistaking them for accurate responses. The takeaway?
While AI models are getting smarter,
they're also getting better at BSing their way through tough questions.
Developers are now urged to encourage these models to avoid answering tricky questions outright
to reduce errors and help users better judge their reliability.
In short, sometimes it's better for a chatbot to just say, I don't know.
And that's the CyberWire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
Be sure to check out this weekend's Research Saturday,
my conversation with Yves Yunen,
Senior Manager with Talos Vulnerability Discovery and Research at Cisco.
We're discussing their work,
how multiple vulnerabilities in Microsoft apps for macOS
paved the way to stealing permissions.
That's Research Saturday. Do check it out.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights
that keep you a step ahead
in the rapidly changing world of cybersecurity.
If you like our show,
please share a rating and review
in your favorite podcast app.
Please also fill out a survey in the show notes
or send an email to cyberwire at n2k.com. We're privileged that
N2K Cyber Wire is part of the daily routine of the most influential leaders and operators in
the public and private sector, from the Fortune 500 to many of the world's preeminent intelligence
and law enforcement agencies. N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams while making your team smarter.
Learn how at n2k.com.
This episode was produced by Liz Stokes.
Our mixer is Trey Hester with original music and sound design by Elliot Peltzman.
Our executive producer is Jennifer Iben.
Our executive editor is Brandon Karp.
Simone Petrella is our president.
Peter Kilby is our publisher.
And I'm Dave Bittner.
Thanks for listening.
We'll see you back here next week. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.