The trial of the creators of the Lurk banking Trojan is finally over. They were stopped as a result of an unprecedented joint operation between a multitude of authorities and the aid of our experts. The criminals were arrested in 2016, but the investigation and court case dragged on for another five years. This is show more ...
hardly surprising, since the number of suspects and victims involved was unprecedented. Lurks members had to be transported to the court by the busload. And the case files ran to 4000 volumes (one volume = 250 pages). The amount of work was colossal and time-consuming, suspects analyzed every record and statement with a fine-tooth comb, but in 2018, 27 defendants faced the trial. Kaspersky has been monitoring the groups activities since 2011. I first heard about Lurk when I joined the company back in 2013. I remember thinking to myself: Catch them and you can retire easily. Consider your career complete. Compared to the usual cybercriminals of the day, they seemed really sophisticated, both technically and organizationally. That said, if I encountered Lurk today, Id probably be less impressed and just see them as a group that followed best practices. The courts verdict is a good excuse to cast a retrospective eye over what was so special about their cybercriminal activity. Infection scheme We should start with the infection vector. The attackers used a watering-hole tactic, posting a redirect to an exploit kit on several business media websites. The method itself was not new, but in this case, to get infected, the victim (always an accountant) had to visit the site during their lunch break (and only at this time). The exploit kit downloaded a bodiless Trojan onto their computer, which was used solely for spying. The cybercriminals first studied what programs were running on the machine, whether there were banking software or any traces of investigation software, and what subnets the machine was working in (the primary focus was on banking and government networks). In other words, they assessed the computers interestingness — and knew exactly who they wanted to infect. The main malware was downloaded only if the computer was indeed of interest. Otherwise, they would steal all the passwords that they could lay their hands on, just in case, and removed the malware from the victims machine. Communication with C&C No less remarkable was the process of information exchange between the Trojan and the command-and-control (C&C) server. The majority of Trojans of the time contained the hardcoded C&C address. The authors simply specified the domain name, leaving themselves the option, if need be, to change the servers IP address: that is, if they lost control over the main C&C address, they could simply replace it with a backup one. All told, it was a rather primitive security mechanism. Lurk was very different in this regard: the group employed a method worthy of a spy novel. Before a communication session, Lurk calculated the address of the C&C server. The cybercriminals went on Yahoo and looked at the share price of a particular company (during our research, this was McDonalds). Depending on the value of the stock at a specific point in time, they generated a domain name and accessed it. That is, to control the Trojan, the cybercriminals looked at the share price at that moment in time and registered a domain name based on these figures. In other words, it was impossible to know in advance which domain name would be used for the C&C server. This raises a legitimate question: if the algorithm was embedded in the Trojan, what prevented a researcher from generating such a sequence, registering a domain name before the cybercriminals, and simply waiting for the Trojan to connect to it? Alas, Lurks creators had taken precautions. They used asymmetric cryptography. That is, a key pair was generated, whereupon the bot, accessing the C&C server, would use the public key to check whether it really belonged to its owners (by verifying the digital signature). This is impossible to forge without knowing the secret key. So, only the owner of the secret key can receive requests from bots and issue commands — no outside researcher can mimic the C&C server. Other cybercriminals did not use this method of protection back then, so if we spotted a private key protection on the server, we could be sure that it was a Lurk attack. Organized infrastructure The set-up of Lurks processes deserves a separate mention. If other cybercriminal groups back then were just a random bunch of forum users (one did the programming, another the cashing out, a third was the coordinator), then, by contrast, Lurk was almost a fully-fledged IT company. Its more accurate to compare them with a large software corporation than a cybercriminal group. Whats more, in terms of organizational level, they remain a model for many groups to this day. Lurk was run by true professionals (most likely with strong development experience) who built a highly organized infrastructure with managers and HR staff. Unlike most gangs, they paid their employees a salary (rather than a percentage of the proceeds). They even used to hold weekly briefings, which in those days was completely unheard-of. In short, it was an exemplary evil corporation. They even had a clearly structured role-based system for restricting access to information. After their arrest, some group members got to read the correspondence of their bosses and only then realized that they were not being treated fairly. They meticulously documented all their activities, far more so than many IT companies today. This, of course, greatly aided the investigation. And perhaps led ultimately, to their downfall: the more systematic your approach is, the easier you are to trace. Here are some examples. Knowledge bases The Lurk group maintained a detailed knowledge base, clearly divided into projects. Each project was accessible only to a certain circle of people, that is, the participants in one project did not know about the activities of another. The projects varied greatly in scope, from highly technical to organizational. And the technical projects were subdivided into levels too. For example, the Trojan developers had access to the knowledge base only on related topics: how to bypass antiviruses, how to test, and so on. But there were also general databases on operational security (similar to real security regulations in large companies). These provided information about how Lurk employees should set up their workstations to avoid detection and how to use anonymization tools. Access to information To gain access to the Lurks information resource, cybercriminals needed to connect to some server through several VPNs. Even then they only received access to bot management. Next, each employee got their own certificate and their own account with different rights. In other words, it was like a regular corporate network set up for remote working. By and large, if it hadnt been for their lack of 2FA, they could have been considered a model company. Physically, all the servers were located at different data centers and in different countries. When you reach one of them at the virtual level through a VPN, you dont know the servers real IP address. It was largely what made the group so hard to sniff out. Development The Lurk group had proper source-code repositories, automated build and multi-step testing procedures, a production server, a test server and a development server. They were essentially making a serious software product: at any moment in time they had a production, testing and developers version of the Trojan. The average C&C server of a typical Trojan back then could receive requests from bots, log them in a database and provided an admin panel to manage them. All this was effectively implemented on a single page. Lurk implemented the admin panel and database separately, while the mechanism for sending responses for bots was completely obscured by an intermediary service. Exploit kits Lurk had three exploit kits, each of which had three different names: one internal, made up by its developers; one for clients and partners; and one assigned by researchers. The thing is, not only did Lurks authors use their own developments, but they also sold exploit kits on the side, to other cybercriminals. Moreover, the versions for partners had different code — clearly an attempt to disguise them as another very popular exploit kit. The fall of Lurk In the end, all the tricks the cybercriminals pulled were of little help. Most members of the group ended up being arrested. But only after the damage was done: during their long career, the attackers managed to steal around US$45 million. Our experts were studying their methods for almost six years (which, incidentally, provided valuable experience that we continue to employ to defeat cybercrime). For those interested in the business-relevant takeaways from this saga, we recommend this post. And a detailed technical analysis is available in our Securelist post.
In January, KrebsOnSecurity examined clues left behind by “Wazawaka,” the hacker handle chosen by a major ransomware criminal in the Russian-speaking cybercrime scene. Wazawaka has since “lost his mind” according to his erstwhile colleagues, creating a Twitter account to drop exploit code for a show more ...
widely-used virtual private networking (VPN) appliance, and publishing bizarre selfie videos taunting security researchers and journalists. Wazawaka, a.k.a. Mikhail P. Matveev, a.k.a. “Orange,” a.k.a. “Boriselcin,” showing off his missing ring finger. In last month’s story, we explored clues that led from Wazawaka’s multitude of monikers, email addresses, and passwords to a 30-something father in Abakan, Russia named Mikhail Pavlovich Matveev. This post concerns itself with the other half of Wazawaka’s identities not mentioned in the first story, such as how Wazawaka also ran the Babuk ransomware affiliate program, and later became “Orange,” the founder of the ransomware-focused Dark Web forum known as “RAMP.” The same day the initial profile on Wazawaka was published here, someone registered the Twitter account “@fuck_maze,” a possible reference to the now-defunct Maze Ransomware gang. The background photo for the @fuck_maze profile included a logo that read “Waka Waka;” the bio for the account took a swipe at Dmitry Smilyanets, a researcher and blogger for The Record who was once part of a cybercrime group the Justice Department called the “largest known data breach conspiracy ever prosecuted.” The @fuck_maze account messaged me a few times on Twitter, but largely stayed silent until Jan. 25, when it tweeted three videos of a man who appeared identical to Matveev’s social media profile on Vkontakte (the Russian version of Facebook). The man seemed to be slurring his words quite a bit, and started by hurling obscenities at Smilyanets, journalist Catalin Cimpanu (also at The Record), and a security researcher from Cisco Talos. At the beginning of the videos, Matveev holds up his left hand to demonstrate that his ring finger is missing. This he smugly presents as evidence that he is indeed Wazawaka. The story goes that Wazwaka at one point made a bet wherein he wagered his finger, and upon losing the bet severed it himself. It’s unclear if that is the real story about how Wazawaka lost the ring finger on his left hand; his remaining fingers appear oddly crooked. “Hello Brian Krebs! You did a really great job actually, really well, fucking great — it’s great that journalism works so well in the US,” Matveev said in the video. “By the way, it is my voice in the background, I just love myself a lot.” In one of his three videos, Wazawaka says he’s going to release exploit code for a security vulnerability. Later that same day, the @fuck_maze account posted a link to a Pastebin-like site that included working exploit code for a recently patched security hole in SonicWall VPN appliances (CVE-2021-20028). When KrebsOnSecurity first started researching Wazawaka in 2021, it appeared this individual also used two other important nicknames on the Russian-speaking crime forums. One was Boriselcin, a particularly talkative and brash personality who was simultaneously the public persona of Babuk, a ransomware affiliate program that surfaced on New Year’s Eve 2020. The other handle that appeared tied to Wazawaka was “Orange,” the founder of the RAMP ransomware forum. I just couldn’t convincingly connect those two identities with Wazawaka using the information available at the time. This post is an attempt to remedy that. On Aug. 26, 2020, a new user named Biba99 registered on the English language cybercrime forum RaidForums. But the Biba99 account didn’t post to RaidForums until Dec. 31, 2020, when they announced the creation of the Babuk ransomware affiliate program. On January 1, 2021, a new user “Babuk” registered on the crime forum Verified, using the email address teresacox19963@gmail.com, and the instant message address “admin@babuk.im.” “We run an affiliate program,” Babuk explained in their introductory post on Verified. A variety of clues suggest Boriselcin was the individual acting as spokesperson for Babuk. Boriselcin talked openly on the forums about working with Babuk, and fought with other members of the ransomware gang about publishing access to data stolen from victim organizations. According to analysts at cyber intelligence firm Flashpoint, between January and the end of March 2021, Babuk continued to post databases stolen from companies that refused to pay a ransom, but they posted the leaks to both their victim shaming blog and to multiple cybercrime forums, an unusual approach. This matches the ethos and activity of Wazawaka’s posts on the crime forums over the past two years. As I wrote in January: “Wazawaka seems to have adopted the uniquely communitarian view that when organizations being held for ransom decline to cooperate or pay up, any data stolen from the victim should be published on the Russian cybercrime forums for all to plunder — not privately sold to the highest bidder. In thread after thread on the crime forum XSS, Wazawaka’s alias ‘Uhodiransomwar’ can be seen posting download links to databases from companies that have refused to negotiate after five days.” Around Apr. 27, 2021, Babuk hacked the Washington Metropolitan Police Department, demanding $4 million in virtual currency in exchange for a promise not to publish the police department’s internal data. Flashpoint says that on April 30, Babuk announced they were shuttering the affiliate program and its encryption services, and that they would now focus on data theft and extortion instead. On May 3, the group posted two additional victims of their data theft enterprise, showing they are still in operation. On May 11, 2021, Babuk declared negotiations with the MPD had reached an impasse, and leaked 250 gigabytes worth of MPD data. On May 14, 2021, Boriselcin announced on XSS his intention to post a writeup on how they hacked the DC Police (Boriselcin claims it was via the organization’s VPN). On May 17, Babuk posted about an upcoming new ransomware leaks site that will serve as a “huge platform for independent leaks,” — i.e., a community that would publish data stolen by no-name ransomware groups that don’t already have their own leaks/victim shaming platforms. On May 31, 2021, Babuk’s website began redirecting to Payload[.]bin. On June 23, 2021, Biba99 posted to RaidForums saying he’s willing to buy zero-day vulnerabilities in corporate VPN products. Biba99 posts his unique user ID for Tox, a peer-to-peer instant messaging service. On July 13, 2021, Payload[.]bin was renamed to RAMP, which according to Orange stands for “Ransom Anon Market Place.” Flashpoint says RAMP was created “directly in response to several large Dark Web forums banning ransomware collectives on their site following the Colonial Pipeline attack by ransomware group ‘DarkSide.” [links added] “Babuk noted that this new platform will not have rules or ‘bosses,'” Flashpoint observed in a report on the group. “This reaction distinguishes Babuk from other ransomware collectives, many of which changed their rules following the attack to attract less attention from law enforcement.” The RAMP forum opening was announced by the user “TetyaSluha. That nickname soon switched to “Orange,” who appears to have registered on RAMP with the email address “teresacox19963@gmail.com.” Recall that this is the same email address used by the spokesperson for the Babuk ransomware gang — Boriselcin/Biba99. In a post on RAMP Aug. 18, 2021, in which Orange is attempting to recruit penetration testers, he claimed the same Tox ID that Biba99 used on RaidForums. On Aug. 22, Orange announced a new ransomware affiliate program called “Groove,” which claimed to be an aggressive, financially motivated criminal organization dealing in industrial espionage for the previous two years. In November 2021, Groove’s blog disappeared, and Boriselcin posted a long article to the XSS crime forum explaining that Groove was little more than a pet project to mess with the media and security industries. On Sept. 13, 2021, Boriselcin posted to XSS saying he would pay handsomely for a reliable, working exploit for CVE-2021-20028, the same exploit that @fuck_maze would later release to Twitter on Jan. 25, 2022. Asked for comment on this research, cyber intelligence firm Intel 471 confirmed that its analysts reached the same conclusion. “We identified the user as the Russian national Михаил Павлович Матвеев aka Mikhail Pavlovich Matveev, who was widely known in the underground community as the actor using the Wazawaka handle, a.k.a. Alfredpetr, andry1976, arestedByFbi, boriselcin, donaldo, ebanatv2, futurama, gotowork, m0sad, m1x, Ment0s, ment0s, Ment0s, Mixalen, mrbotnet, Orange, posholnarabotu, popalvprosak, TetyaSluha, uhodiransomwar, and 999,” Intel 471 wrote. As usual, I put together a rough mind map on how all these data points indicate a connection between Wazawaka, Orange, and Boriselcin. A mind map connecting Wazawaka to the RAMP forum administrator “Orange” and the founder of the Babuk ransomware gang. As noted in January’s profile, Wazawaka has worked with at least two different ransomware affiliate programs, including LockBit. Wazawaka said LockBit had paid him roughly $500,000 in commissions for the six months leading up to September 2020. Wazawaka also said he’d teamed up with DarkSide, the ransomware affiliate group responsible for the six-day outage at Colonial Pipeline last year that caused nationwide fuel shortages and price spikes. The U.S. Department of State has since offered a $5 million reward for information leading to the arrest and conviction of any DarkSide affiliates.
In this episode of the podcast (#235) Justine Bone, the CEO of Medsec, joins Paul to talk about cyber threats to healthcare organizations in the age of COVID. Justine’s firm works with hospitals and healthcare organizations to understand their cyber risk and defend against attacks, including ransomware. The post show more ...
Episode 235: Justine Bone of...Read the whole entry... » Click the icon below to listen. Related StoriesEpisode 234: Rep. Jim Langevin on Cyber Policy in an Age of Political PolarizationTapping into the Power of the Security CommunityEpisode 232: Log4j Won’t Go Away (And What To Do About It.)
The CISA has added a new entry to its catalog of vulnerabilities exploited in the wild, which is an Apple WebKit remote code execution bug used to target iPhones, iPads, and Macs.
AdaptiveMobile Security published a research study that highlights how vulnerabilities in mobile network infrastructure could be weaponized in offensive military operations.
Adobe on Sunday rolled out patches to contain a critical security vulnerability impacting its Commerce and Magento Open Source products that it said is being actively exploited in the wild.
The San Francisco 49ers NFL team has fallen victim to a ransomware attack that encrypted files on its corporate IT network, a spokesperson for the team has told The Record.
Continuous security testing using multiple scanning types is fast becoming the norm as organizations recognize the need to analyze the software they build across multiple dimensions.
Hong Kong's privacy watchdog said on Friday that it had received reports from the firm two days ago about a cybersecurity incident involving several databases for room reservations.
Microsoft is enabling a Microsoft Defender 'Attack Surface Reduction' security rule by default to block hackers' attempts to steal Windows credentials from the LSASS process.
The tools – npm-secure-install, package-checker, and npm_issues_statistic – are designed to address some of the thorniest security problems of using open-source software packages.
Croatian phone carrier 'A1 Hrvatska' has disclosed a data breach. The information that has been accessed includes full names, personal identification numbers, physical addresses, and contact numbers.
Emil Frey was hit with a ransomware attack last month, according to a statement from the company. It showed up on the list of victims for the Hive ransomware on February 1.
Researchers have uncovered a cryptojacking malware named CoinStomp that is targeting Asian cloud service providers. To prevent forensic actions against itself, the malware tries to tamper with Linux server cryptographic policies. The use of such techniques indicates that attackers are aware of incident response systems and are trying to gain immunity to it.
In a new twist, authors of BazarLoader and BazarBackdoor malware were spotted utilizing template-based metaprogramming to obfuscate important data. Researchers found similar code patterns in malware samples as is found when samples are built using ADVobfuscator, an obfuscation library based on C++11/14 and show more ...
metaprogramming. For protection, a better understanding of these techniques may help malware reverse engineers to create more efficient tools for analysis.
Ransomware actors are constantly upgrading their TTPs and finding new ways to make profits. A new report by Chainalysis states that ransomware victims spent almost $700 million in ransom in 2020.
The hundreds of thousands of locations were collected by the NSW Customer Services Department through its QR code registration system and made public through a government website.
Red Hat Security Advisory 2022-0520-01 - Red Hat Data Grid is an in-memory, distributed, NoSQL datastore solution. It increases application response times and allows for dramatically improving performance while providing availability, reliability, and elastic scale. Data Grid 8.3.0 replaces Data Grid 8.2.3 and show more ...
includes bug fixes and enhancements. Issues addressed include HTTP request smuggling, code execution, denial of service, and deserialization vulnerabilities.
Ubuntu Security Notice 5284-1 - Multiple security issues were discovered in Firefox. If a user were tricked into opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service, bypass security restrictions, obtain sensitive information, or execute arbitrary code. It was show more ...
discovered that extensions of a particular type could auto-update themselves and bypass the prompt that requests permissions. If a user were tricked into installing a specially crafted extension, an attacker could potentially exploit this to bypass security restrictions.
This Metasploit module exploits a path traversal issue in Nagios XI before version 5.8.5. The path traversal allows a remote and authenticated administrator to upload a PHP web shell and execute code as www-data. The module achieves this by creating an autodiscovery job with an id field containing a path traversal to show more ...
a writable and remotely accessible directory, and custom_ports field containing the web shell. A cron file will be created using the chosen path and file name, and the web shell is embedded in the file. After the web shell has been written to the victim, this module will then use the web shell to establish a Meterpreter session or a reverse shell. By default, the web shell is deleted by the module, and the autodiscovery job is removed as well.
Red Hat Security Advisory 2022-0514-01 - Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 91.6.0 ESR. Issues addressed include a bypass vulnerability.
Red Hat Security Advisory 2022-0513-01 - Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 91.6.0 ESR. Issues addressed include a bypass vulnerability.
Red Hat Security Advisory 2022-0511-01 - Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 91.6.0 ESR. Issues addressed include a bypass vulnerability.
Red Hat Security Advisory 2022-0510-01 - Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 91.6.0 ESR. Issues addressed include a bypass vulnerability.
Red Hat Security Advisory 2022-0512-01 - Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 91.6.0 ESR. Issues addressed include a bypass vulnerability.
Adobe on Sunday rolled out patches to contain a critical security vulnerability impacting its Commerce and Magento Open Source products that it said is being actively exploited in the wild. Tracked as CVE-2022-24086, the shortcoming has a CVSS score of 9.8 out of 10 on the vulnerability scoring system and has been characterized as an "improper input validation" issue that could be weaponized to
Spain's National Police Agency, the Policía Nacional, said last week it dismantled an unnamed cybercriminal organization and arrested eight individuals in connection with a series of SIM swapping attacks that were carried out with the goal of financial fraud. The suspects of the crime ring masqueraded as trustworthy representatives of banks and other organizations and used traditional phishing
Technical details have been disclosed regarding a number of security vulnerabilities affecting Moxa's MXview web-based network management system, some of which could be chained by an unauthenticated adversary to achieve remote code execution on unpatched servers. The five security weaknesses "could allow a remote, unauthenticated attacker to execute code on the hosting machine with the highest
A surge in "sophisticated, high impact" ransomware attacks has prompted the United States, UK, and Australian cybersecurity agencies issue a joint advisory about the techniques being used by cybercriminals to attack businesses and organisations. Read more in my article on the Tripwire State of Security blog.